D o m i n i o 5 - I d e n t i d a d a n d A c c e s s M a ...
Transcript of D o m i n i o 5 - I d e n t i d a d a n d A c c e s s M a ...
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 1/102
Test ID: 177713607Dominio 5 - Identidad and Access Management IAM)
Question #1 of 105 Question ID: 1114754
✗ A)
✗ B)
✗ C)
✓ D)
✗ E)
✗ F)
Which statements are true of memory cards?
a. Memory cards have more memory than smart cards.
b. Memory cards can provide two-factor authentication.
c. Memory cards have no processing power of their own.
d. Memory cards can supply static and dynamic passwords for authentication.
option b
option a
option d
options b and c
option c
options a and d
Explanation
Memory cards do not have processing power. They act only as a repository of data, such as user credentials, that can
be used for user authentication.
Memory cards provide two-factor authentication. A user must provide a PIN along with the memory card. Two-factor
authentication relies on something you know, such as a password, and something you have, such as a memory card.
Memory cards act as simple storage devices and do not have more memory than smart cards. Smart cards, sometimes
called processor cards, can process information because of the inbuilt processor and the auxiliary hardware. Smart
cards have a built-in processor and memory.
Tokens resemble credit cards and are used to supply one-time passwords (OTP), which are a combination of static and
dynamic passwords. Access tokens are best suited for high-security areas.
One of the disadvantages of memory cards is that they are easy to counterfeit.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 2/102
Question #2 of 105 Question ID: 1132533
✗ A)
✓ B)
✗ C)
✗ D)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Memory Cards
You have discovered that 25% of your organization's computers have been attacked. As a result, these computers were
used as part of a distributed denial of service (DDoS) attack. To what classification or area do the compromised
computers belong?
honeypot
botnet
DMZ
VPN
Explanation
The compromised computers are members of a botnet. A botnet is created by a hacker when malware is copied to a
computer in your network that allows the hacker to take over the computer. Botnets are often used to carry out
distributed denial of service (DDoS) attacks.
A demilitarized zone (DMZ) is a protected area of a local network that contains publically accessible computers.
Botnets can be located anywhere on your network.
A virtual private network (VPN) is a secure, private connection through a public network or the Internet. Botnets can be
located anywhere on your network.
A honeypot is a computer that is set up on an organization's network to act as a diversion for attackers. Often,
honeypots are left open in such a way to ensure that they are attacked instead of the more important systems.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, DoS/DDoS
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 3/102
Question #3 of 105 Question ID: 1105263
✗ A)
✓ B)
✗ C)
✗ D)
Question #4 of 105 Question ID: 1105337
What is the best countermeasure for a buffer overflow attack on a commercial application?
Edit the application code to include bounds checking to ensure that data is of an
acceptable length.
Update the software with the latest patches, updates, and service packs.
Implement code reviews and quality assurance on a regular basis.
Implement timestamps and sequence numbers.
Explanation
The best countermeasure for a buffer overflow attack on a commercial application is to update the software with the
latest patches, updates, and service packs.
The best countermeasure for a replay attacks is the implement timestamps and sequence numbers.
The best countermeasure for a buffer overflow attack on a company-developed, proprietary application would be to edit
the application code to include bounds checking to ensure that data is of an acceptable length.
The best countermeasure for maintenance hooks is to implement code reviews and quality assurance on a regular
basis.
A buffer overflow attack can be detected by examining packets that are being transmitted on your network using a
packet sniffer. A long string of numbers in the middle of a packet is indicative of a buffer overflow attack.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Buffer Overflow
Company management has decided to implement security policies across the organization. You must implement an
access control method that uses the settings in the pre-configured security policies to make all decisions. Which access
control method should you implement?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 4/102
✓ A)
✗ B)
✗ C)
✗ D)
Question #5 of 105 Question ID: 1113987
rule-based access control
mandatory access control
discretionary access control
role-based access control
Explanation
Rule-based access control uses the setting in pre-configured security policies to make all decisions. The rules defined
usually include connection times and days. This type of access control is used by remote access connections.
None of the other options is correct.
Discretionary access control (DAC) is considered the least secure because security is enforced by data owners and is
decentralized. Identity-based access control is implemented in a DAC model.
Mandatory access control (MAC) provides the strictest security mechanism. It assigns security labels to both subjects
and objects. It relies on security clearances. This model is usually implemented in highly secure networks, such as
military facilities. The Lattice model is based on MAC. The principles of least privilege and need to know are most
strictly enforced in MAC. The Simple Security Property and the Star Property are key principles in MAC.
Role-based access control (RBAC) is not as strict as MAC. It assigns security based on roles and responsibilities.
Therefore, it supports the management of access rights for groups of subjects. It is considered a task-based access
control model.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Mandatory, Discretionary, Role, and Rule Based Access Control,
http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control
Which entity can an administrator use to designate which users can access a file?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 5/102
✗ A)
✗ B)
✗ C)
✓ D)
Question #6 of 105 Question ID: 1111746
✗ A)
✗ B)
✓ C)
✗ D)
a NAT server
a proxy server
a firewall
an ACL
Explanation
An access control list (ACL) is a security mechanism that is used to designate which users can gain various types of
access, such as read, write, and execute access to resources on a network. An ACL provides security as granular as
the file level. The DAC model uses ACL to identify the users who have permissions to a resource.
A firewall allows and denies network access through communications ports. A NAT server presents public Internet
Protocol (IP) addresses to the Internet on behalf of computers on a private network. A proxy server can be used to
enable hosts to access Internet resources. A proxy server can increase the performance of a network by caching Web
pages, which can reduce the amount of time required for clients to access Web pages.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Your organization's data center is a secured portion of your organization's building. Entry to the data center requires
that users enter a five-digit password. Only users in the information technology (IT) department are allowed access to
the data center, and all IT department personnel use the same five-digit password.
You must ensure that the password is changed appropriately. Which guideline should you NOT implement?
Change the password at least every six months.
Change the password when an IT department employee leaves the organization.
Change the password when an IT department employee goes on extended
leave.
Change the password when the password has been knowingly compromised.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 6/102
Question #7 of 105 Question ID: 1105330
✗ A)
✗ B)
✓ C)
✗ D)
Explanation
You should NOT change the password when an IT department employee goes on an extended leave.
When the data center is protected by a password, you should adhere to the following guidelines:
Change the password at least every six months.
Change the password when an IT department employee leaves the organization.
Change the password when it has been knowingly compromised.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter5 Identity and Access Management, Prevent or Mitigate Access Control
Threats
You work for an organization that employs temporary employees on a rotating basis. The organization experiences high
employee turnover. Which access control model is best used in this environment?
mandatory access control
discretionary access control
role-based access control
identity-based access control
Explanation
Role-based access control (RBAC) is best used in an environment where there is high employee turnover. When an
employee leaves the company, it is very easy to add the employee's replacement to the role than to ensure that the
new employee has all the permissions of the old employee.
Mandatory access control (MAC) is best used in an environment where confidentiality is the biggest concern. Each
subject and object is given a security label. Administrative effort in this model can be relatively high due to this fact.
Discretionary access control (DAC) is used in environments where data owners need to control access permissions to
their files. Administration in this model is usually decentralized. DAC would be difficult in an environment where there is
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 7/102
Question #8 of 105 Question ID: 1105350
✓ A)
✗ B)
✗ C)
✗ D)
high employee turnover because each data owner would need to be notified of employee resignations and
replacements.
Identity-based access control is usually implemented in DAC environments. Identity-based access control should not
be used in an environment where there is high employee turnover. In a very large environment, this type of access
control would be an administrative burden.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which access control model provides the strictest security mechanism?
mandatory access control
identity-based access control
discretionary access control
role-based access control
Explanation
Mandatory access control (MAC) provides the strictest security mechanism. It assigns security labels to both subjects
and objects. This model is usually implemented in highly secure networks, such as military facilities.
Role-based access control (RBAC) is not as strict as MAC. Discretionary access control (DAC) is considered the least
secure because security is enforced by data owners and is decentralized. Identity-based access control is implemented
in a DAC model.
In a secure access control model, secure objects cannot be accessed by a subject with a less secure label.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 8/102
Question #9 of 105 Question ID: 1114760
✗ A)
✗ B)
✗ C)
✓ D)
✗ E)
✗ F)
✗ G)
✗ H)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
As a security professional, you have been asked to advise an organization on which access control model to use. You
have decided that role-based access control (RBAC) is the best options for the organization. What are the advantages
of implementing this access control model?
a. user friendly
b. low security cost
c. easier to implement
d. discretionary in nature
e. highly secure environment
option c
option d
options a, b, and c only
options b and c only
all of the options
option e
option b
option a
Explanation
Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this
reason, it is also easier to implement than the other access control models.
RBAC is NOT user friendly. Discretionary access control (DAC) is more user friendly, because it allows the data owner
to determine user access rights. If a user needs access to a file, he only needs to contact the file owner.
RBAC is NOT discretionary in nature. DAC is discretionary.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 9/102
Question #10 of 105 Question ID: 1113989
✗ A)
✗ B)
✓ C)
✗ D)
RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure
environment because every subject and object is assigned a security label.
With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure
its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role
should be granted. Roles are based on the structure of the organization and are usually hierarchical.
RBAC is a popular access control model used in commercial applications, especially large networked applications.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
What is a retrovirus?
a virus which is based on an old virus but has been modified to prevent detection
a virus that modifies other programs and databases
a virus that attacks or bypasses anti-virus software
a virus that includes protective code that prevents outside examination of critical
elements
Explanation
A retrovirus virus attacks or bypasses anti-virus software. Retroviruses even attack the anti-virus program to destroy
the virus definitions or to create bypasses for itself.
As of the writing of this exam, there is no name for a virus based on an old virus that has been modified to prevent
detection.
A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected
applications.
An armored virus includes protective code that prevents examination of critical elements. The armor attempts to protect
the virus from destruction.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 10/102
Question #11 of 105 Question ID: 1105290
✗ A)
✗ B)
✗ C)
✓ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, Virus
What is retrovirus?, http://www.webopedia.com/TERM/R/retrovirus.html
Which password type is usually the easiest to remember?
static password
dynamic password
software-generated password
pass phrase
Explanation
A pass phrase is usually the easiest to remember. Even though it is longer than a static password, it is considered
easier to remember because you can make it a sentence, such as "IAmSoGladThatChristmasOnlyComesOnceAYear."
Most systems do not use the actual pass phrase the user enters. Instead, they put this value through some type of
encryption or hashing function to come up with another format of that value, referred to as a virtual password.
A static password is one that is generated by the user. Password changes to static passwords happen at administrator-
defined intervals. A static password is considered harder to remember than a pass phrase because it is a single word
or small phrase and is usually changed more often than a pass phrase. Static passwords remain the same with each
log in, while dynamic passwords change with each log in.
A dynamic password and a software-generated password are the same thing. They are difficult to remember because
of their length and complexity. An asynchronous dynamic password token generates a new password that does not
have to fit into a fixed time window for authentication. A synchronous dynamic password token must be used within a
fixed time.
Pass phrases are not susceptible to brute force or dictionary attacks because they are more complex than regular
passwords.
Passwords are considered the least expensive access control to implement, but they are also the least secure.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 11/102
Question #12 of 105 Question ID: 1105319
✓ A)
✗ B)
✗ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Passphrase passwords
Which protocol grants TGTs?
Kerberos
Telnet
ARP
L2TP
Explanation
Kerberos is a protocol that issues ticket-granting tickets (TGTs), which clients can then use to request session keys. A
Kerberos client can use a session key to gain access to resources.
Address Resolution Protocol (ARP) is used on TCP/IP networks to resolve Internet Protocol (IP) addresses to Media
Access Control (MAC) addresses. MAC addresses are assigned to network interface cards (NICs) and are used to
identify physical resources on a network. IP is used on TCP/IP networks to locate hosts. ARP enables Ethernet and
TCP/IP to interoperate.
Layer 2 Tunneling Protocol (L2TP) can be used to create secure virtual private network (VPN) connections.
Telnet is a TCP/IP protocol that enables a user to connect remotely to a server through a text-based interface. The user
can then use Telnet to remotely issue commands on the server as if it were the local computer.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 12/102
Question #13 of 105 Question ID: 1105320
✓ A)
✗ B)
✗ C)
✗ D)
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, , Kerberos
Your organization includes an Active Directory domain with three domain controllers. Users are members or
organizational units (OUs) that are based on departmental membership. Which type of database model is used in the
domain?
a hierarchical database model
a relational database model
an object-relational database model
an object-oriented database model
Explanation
An Active Directory domain, which uses the Lightweight Directory Access Protocol (LDAP), is a hierarchical database
model. A hierarchical database model uses a logical tree structure. LDAP is the most common implementation of a
hierarchical database model.
A relational database model is not used in the scenario. A relational database model uses rows and columns to arrange
data and presents data in tables. The fundamental entity in a relational database is the relation. Relational databases
are the most popular. Microsoft's SQL Server is a relational database.
An object-oriented database model is not used in this scenario. An object-oriented database (OODB) model can store
graphical, audio, and video data. A popular object-oriented database is db4objects from Versant Corporation.
An object-relational database model is not used in this scenario. An object-relational database is a relational database
with a software front end written in an object-oriented programming language. Oracle 11g is an object-relation
database.
Another type of database model is the network database model. This database model expands the hierarchical
database model. A network database model allows a child record to have more than one parent, while a hierarchical
database model allows each child to have only one parent.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 13/102
Question #14 of 105 Question ID: 1113978
✗ A)
✓ B)
✗ C)
✗ D)
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Security Domains
Which characteristic of a biometric system will not be considered during its implementation?
ability to reject unauthorized individuals
ability to modify the working pattern of a biometric device
ability to maintain a standard level of performance
ability to authenticate authorized individuals
Explanation
The ability of a biometric system to modify the working pattern of a biometric device is not an important consideration
while implementing a biometric system. The accuracy and usability of a biometric device are primary considerations. A
biometric system is considered effective if it has the following characteristics:
Ability to authenticate authorized individuals
Ability to reject unauthorized individuals
Ability to maintain a standard level of performance without showing signs of degradation
The biometric systems in their order of effectiveness are as follows:
Palm scan
Hand geometry
Iris scan
Retina pattern
Fingerprint
Voice print
Signature dynamics
Keystroke dynamics
An iris scan is usually the most expensive biometric technology, according to a Zephyr chart. A Zephyr chart is a
comparative chart that can be used to compare any two things and is not limited to information technology. The
comparison can be performed on specific features or on all general features.
Hand scans, retina scans, and voice scan biometric systems are not as costly as iris scan systems. Biometrics is an
automated means of authenticating identity based on physiological or behavioral characteristics.
Authentication through biometrics, such as fingerprints, palm scans, and hand geometry, is based on highly sensitive
results. A biometric system is highly expensive and sensitive, and should be highly accurate to meet the security
requirements of the organization. The accuracy results from repeated measurements of the physical and behavioral
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 14/102
Question #15 of 105 Question ID: 1105329
✗ A)
✗ B)
✗ C)
✓ D)
characteristics of the users. Inaccuracies beyond the threshold limit are typically unacceptable. The objective of
deploying a biometric system is to ensure that only authorized users are authenticated after their credentials are
verified against their reference records, and that unauthorized users are not falsely granted access to sensitive
resources.
High throughput, low enrollment time, and high user acceptability would actually positively affect the acceptance of a
biometric device.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
Biometrics, http://searchsecurity.techtarget.com/definition/biometrics
Which statement describes the relationship between access control models and access control techniques?
Access control models design the access control techniques.
Access control models support the access control techniques.
Access control techniques design the access control models.
Access control techniques support the access control models.
Explanation
Access control techniques support the access control models. First, a company decides on the access control model
that it will use. The access control model is a formal description of the company's security policy. Once a model is
determined, the access control technique is determined. The technique used ensures that the model is implemented
properly.
None of the other options is correct.
Once the access control model and technique are decided, the company can determine which administrative model to
use: centralized or decentralized. Some model and techniques force the use of a certain administrative model.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 15/102
Question #16 of 105 Question ID: 1105287
✗ A)
✗ B)
✓ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
You have implemented a biometric system that analyzes signature dynamics. This biometric system is an example of
which biometric category?
psychological
physiological
behavioral
biological
Explanation
A signature dynamic biometric system is an example of a behavioral biometric system. A behavioral biometric system
analyzes what a person does and how they do it to control access.
There are two categories of biometric systems: physiological and behavioral. A physiological biometric system analyzes
a person's physical traits to control access. This type of system includes retina scans, iris scans, fingerprint scans, and
palm scans.
There are no psychological or biological categories of biometric systems.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Behavioral Characteristics
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 16/102
Question #17 of 105 Question ID: 1105364
✗ A)
✗ B)
✗ C)
✓ D)
Question #18 of 105 Question ID: 1105279
✓ A)
✗ B)
You are performing user account reviews. You need to determine whether user accounts are being used. Which
property should you verify?
whether a password is required
when the password was last configured
whether user accounts are disabled
when the last login occurred
Explanation
To determine whether user accounts are being used, you should verify when the last login occurred for every user
account. If a user account has not logged in recently, either the user is not logging out properly or the user account is
no longer being used.
You should not check when the password was last configured. Doing so will ensure that users are changing their
passwords as stipulated in the password expiration policy. Passwords may not be changed if the user is not properly
logging out each day.
You should not check whether a password is required. Doing so will ensure that user accounts are required to have a
password.
You should not check whether user accounts are disabled. Disabled user accounts are not used. User accounts are
often retained in a disabled state for a period of time. Restoring a user account once it is deleted is difficult.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identity and Account Management
What is the result of an increase in the type 2 errors of a biometric system?
Unauthorized users are falsely authenticated.
Reference records are automatically deleted.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 17/102
✗ C)
✗ D)
Question #19 of 105 Question ID: 1192948
✗ A)
✗ B)
✓ C)
A user is required to authenticate more than once.
Authorized users are falsely rejected.
Explanation
An increase in the type 2 errors of a biometric system results in erroneous authentication of unauthorized users. Type 2
errors represent the false acceptance rate (FAR) of the biometric system.
A user will be required to authenticate more than once against a biometric system only if the reference records are not
clear and distinguishable. The number of authentication attempts depends on type 1 errors, not type 2 errors.
In the event of an increase in the number of type 1 errors, authorized users are denied access to the resources. This
affects user productivity. Type 1 errors represent the false rejection rate (FRR) of a biometric system. A high value of
FRR implies that a large number of authorized people are being denied access by the biometric system. The crossover
error rate (CER) is the point at which the FRR equals the FAR. The CER rating for a biometric system is the most
critical measurement used to determine the accuracy of the system. A CER value of 5 is better than a CER value of 10.
A biometric system does not automatically delete the reference records if there is an increase in the number of type 2
errors. A reference record is created for every user through an enrollment process that is used for authentication
attempts later.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
Security personnel have report that your organization's fingerprint biometric system is granting access to unauthorized
users. What is the most appropriate reason for this occurrence?
The biometric system has a low crossover error rate.
The biometric system does not have ample storage space for all the employee
records.
The biometric system has high type 2 error rate and allows the authentication of
unauthorized users.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 18/102
✗ D) Some specific features of fingerprints match and lead to the problem.
Explanation
The biometric system has high type 2 error rate and allows the authentication of unauthorized users. A high type 2 error
valid implies that unauthorized people are being falsely authenticated by the biometric system and that intruders could
access critical resources. A high level of accuracy in a biometric system leads to greater user acceptance and provides
higher throughput. The primary considerations while selecting a biometric system should be accuracy, throughput,
reliability, and user acceptance.
Rejection of authorized users by a biometric system is termed as a type 1 error. Granting of access to unauthorized
users by a biometric system is termed as a type 2 error. The accuracy of biometric systems is based on the false
rejection rate (FRR) that implies type 1 errors and the false acceptance rate (FAR) that implies type 2 errors. A high
value of type 1 errors implies that a high percentage of valid authentication attempts are being rejected and employee
productivity will be negatively affected, causing less user acceptance.
Granting access to unauthorized users is not the direct result of a low crossover error rate (CER). A low CER value for
a biometric device does not imply that the type 2 errors are high for the device. The CER is affected by type 2 errors.
However, type 2 errors are actually the reason unauthorized users are granted access. CER is the point at which the
FRR equals the FAR. The CER rating for a biometric system is the most critical measurement used to measure the
accuracy of the system. A CER value of 5 is better than a CER value of 10.
It is not possible for some specific fingerprint features to match. Every individual has a unique fingerprint. Therefore, the
fingerprint features for any two employees do not match. This ensures that the system authenticates only authorized
users.
If the biometric device does not have ample storage capabilities to store the reference files for all the employees, the
device will only authenticate those employees who have their reference records in the device. Therefore, low storage
space does not imply that the biometric device is authenticating the unauthorized users.
The following factors should be considered when selecting a biometric system:
Accuracy and reliability: If a biometric system rejects an authorized user, it is known as type I error. If the biometric
system accepts an unauthorized user, it is known as type II errors. Type II errors are most dangerous. However, the
aim is to minimize the occurrence of both errors and increase the accuracy of the biometric system
Throughput: The enrollment phase for some biometric systems requires users to repeat the action to get a clear
record. The time spent is not desirable if there are many users to be scanned. Moreover, users may become
frustrated. Therefore, the aim should be to have faster biometric systems.
User acceptance: Sometime people dislike the use of machines to read the patterns of their eyes or hands. This is
one reason for low user acceptance. Low throughput is another reason.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 19/102
Question #20 of 105 Question ID: 1111755
✗ A)
✗ B)
✗ C)
✗ D)
✓ E)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
You are implementing new password policies on your company's network. You need to ensure that users must use 20
new passwords before reusing an old one. Which password policy setting should you implement?
password complexity
password length
password age
password lockout
password history
Explanation
You should implement the password history policy setting. Password history allows you to configure how many new
passwords must be created before an old one can be reused. This setting enhances security by allowing the
administrators to ensure that old passwords are not being reused continually. Reused passwords are sometimes
referred to as rotating passwords.
Password age configures the minimum or maximum number of days that pass before a user is required to change the
password. It is a good security practice to enforce a password age of 30 to 60 days. Some companies force users to
change their passwords monthly or quarterly. This interval should be determined based on how critical the information
is and on how frequently passwords are used. The configuration of the password age setting is affected by the
following:
the criticality of the information to be protected
the frequency of the password's use (password history)
the responsibilities and clearance of the user
Password length configures the minimum number of characters that must be used in a password. At minimum, this
policy should be configured to 7 or 8 characters. Be careful not to configure this value too high as it can make the
password very hard to remember.
Password lockout configures the number of invalid logon attempts that can occur before an account is locked. Usually
this password lockout policy also allows you to configure the number of days that the account remains in this state. In
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 20/102
Question #21 of 105 Question ID: 1105347
✓ A)
✗ B)
✗ C)
✗ D)
some cases, you may want to configure the account lockout policy so that an administrator must be contacted to
enable the account again.
Password complexity configures which characters should make up a password to reduce the possibility of dictionary or
brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and
special characters. In addition, both uppercase and lowercase letters can be required. A password that uses a good
mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as
My32birthday, NewYears06, and John$59. A brute force attack is more complex than a dictionary attack because the
brute force attack must work through all possible combinations.
Account policies should be enforced on all systems in the company. It is also a good practice to make sure that
passwords are masked or encrypted. This encryption should occur on the storage device on which they are located.
Also, encryption should be used when they are transmitted across the network.
As a good practice, a user's password should never be the same as the login account.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Password Types and Management
You have been hired as the security administrator for an organization that uses mandatory access control (MAC). When
using this type of access control, which entities make up a security label?
classification and categories
roles and privileges
definitions and permissions
identities and rights
Explanation
When using mandatory access control (MAC), a security or sensitivity label is comprised of a classification and different
categories. The classification indicates the sensitivity level of the subject or object, such as secret or top-secret. The
different categories enforce the need-to-know rules by categorizing the subjects and objects into categories, such as
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 21/102
Question #22 of 105 Question ID: 1105284
✗ A)
✗ B)
✗ C)
✓ D)
human resources and accounting. The categories should be determined by the organization based on the organization
access control needs.
The other entities are not valid parts of a security label.
MAC is more prohibitive in nature. Therefore, it is more secure than discretionary access control (DAC). However, DAC
is more flexible and scalable than MAC. MAC defines security levels that are imposed on all subjects and objects.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which type of card has an antenna that surrounds the card to allow the card to be read by the reader?
contact smart card
memory card
smart card
contactless smart card
Explanation
A contactless smart card has an antenna that surrounds the card to allow the card to be read by the reader. When the
card enters the electronic field of the reader, the card antenna powers the card's internal chip and communicates with
the reader.
A smart card is a card that can store and process information. Not all smart cards contain an antenna. A contact smart
card has a gold seal on the card's face, instead of an antenna inside the card. This type of smart card requires physical
insertion into the card reader.
A memory card stores information, but cannot process it. It also requires physical insertion into the card reader.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 22/102
Question #23 of 105 Question ID: 1111751
✓ A)
✗ B)
✗ C)
✗ D)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Smart Cards
Your company network has reached such a large size that it is becoming increasingly difficult to manage user accounts
and passwords. Management has asked you to investigate a cloud solution that you could deploy to make
administration easier and to implement single sign-on. Which cloud deployment solution should you suggest>
IDaas
PaaS
IPaaS
DBaas
Explanation
Identity as a Service (IDaaS) is a cloud-based identity management solution that will allow an organization to
implement single sign-on. An IDaaS solution via a cloud provider usually includes the following:
Single sign-on
Provisioning
Password management
Access governance
Granular access controls
Centralized administration
Integration with internal directory services
Integration with external services
Integration Platform as a Service (IPaaS) is a cloud-based solution that enables the development, execution, and
governance of integration flows to connect on premises and cloud-based processes, services, applications and data
within individual or across multiple organizations.
Database as a Service (DBaaS) is a cloud-based solution that is supports applications, without the application team
assuming responsibility for traditional database administration functions.
Platform as a Service (PaaS) is a cloud-based solution that provides allows customers to develop, run, and manage
Web applications without having to build and maintain the infrastructure typically associated with developing and
launching an app.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 23/102
Question #24 of 105 Question ID: 1132534
✓ A)
✗ B)
✗ C)
✗ D)
✗ E)
✗ F)
✗ G)
Objective: Identity and Access Management (IAM)
Sub-Objective: Integrate identity as a third-party service
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identity as a Service (IDaaS)
Implementation
A simple guide to Cloud Computing, IaaS, PaaS, SaaS, BaaS, DBaaS, iPaaS, IDaaS, APIMaaS,
http://cloudramblings.me/2014/02/11/a-simple-guide-to-cloud-computing-iaas-paas-saas-baas-dbaas-ipaas-idaas-
apimaas/
Which security threats are NOT self-replicating?
a. worm
b. virus
c. spyware
d. Trojan horse
options c and d
option a
option d
option c
all of the options
options a and b
option b
Explanation
Spyware and Trojan horses are security threats that are NOT self-replicating. Spyware is actually a type of Trojan
horse. These programs are downloaded and installed inadvertently when the user is downloading other programs.
Viruses and worms can both self-replicate, meaning that the virus or worm can actually copy itself to multiple locations.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 24/102
Question #25 of 105 Question ID: 1111748
✗ A)
✗ B)
✗ C)
✓ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, Spyware
Spyware, http://searchsecurity.techtarget.com/sDefinition/0,sid14_gci214518,00.html
Trojan horse attacks, http://www.irchelp.org/irchelp/security/trojan.html
Your organization has decided to add smart card authentication to the authentication scheme. Which attack is NOT
applicable to a smart card?
physical attack
social engineering attack
logical attack
dictionary attack
Explanation
The primary purpose of a dictionary attack is to identify passwords by comparing them to a large number of words in a
dictionary. This attack uses the logic that many users choose passwords that are dictionary words. A dictionary attack
program is fed with word lists. The program attempts all possible permutations and combinations to derive the user
password. This type of attack is actually carried out against passwords, not smart cards.
The attacks on smart cards can be categorized as follows:
A physical attack involves manipulation or alteration of the standard physical conditions of the smart card, such as
temperature, voltage, and frequency, to gain sensitive information. In a physical attack, the attacker initiates a
voltage fluctuation by using special equipment precisely during the personal identification number (PIN) verification
process. This allows the card functions to be performed in the same way as that of a legitimate user. Physical
attacks can be combined with logical attacks to gain access to sensitive information.
A logical attack occurs when unauthorized users gain access to the system by monitoring and capturing the bytes
of data going to and from the smart card. A timing attack is an example of a logical attack in which the byte patterns
are sent to the card to obtain the private key.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 25/102
Question #26 of 105 Question ID: 1192954
✗ A)
✗ B)
A Trojan horse attack involves a Trojan horse application installed on a workstation. When a user enables the
private key by submitting a valid PIN for a trusted application, the rogue application sends a request to the card to
digitally verify the data. The use of a single-access device driver architecture in the operating system is a
countermeasure used to prevent a Trojan horse attack. In this countermeasure, the operating system ensures that
only one application uses the smart card at a particular time.
Social engineering is the practice of obtaining confidential information by manipulating or tricking legitimate users.
Social engineering circumvents technological security measures by manipulating people to disclose crucial
authentication information. The primary goal of social engineering is to gain unauthorized access to either systems or
information or to commit fraud, network intrusion, industrial espionage, identity theft, or network disruption. For
example, an attacker or an intruder impersonating as a network technician may ask employees for the PINs of their
smart cards on the pretext of security. The attackers and intruders may later use the PIN to gain unauthorized access to
sensitive organizational resources. Social engineering often involves asserting authority or pulling rank, intimidating or
threatening, or praising or flattering to gain physical access to a secure facility.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Dictionary Attack
Which type(s) of attack affect passwords?
a. sniffing
b. dictionary
c. brute force
d. data diddling
e. denial of service
f. social engineering
option b
option d
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 26/102
✗ C)
✓ D)
✗ E)
✗ F)
✗ G)
✗ H)
✗ I)
all of the options
options a, b, c, and f only
option a
option f
option c
options d and e only
option e
Explanation
Passwords are susceptible to sniffing, dictionary attacks, brute force attacks, and social engineering attacks. In
addition, passwords can sometimes be obtained by gaining access to a network and accessing the password file.
Data diddling is an attack that changes data. Authorized users usually perpetuate this attack for financial gain.
A denial of service attack occurs when an attacker floods a system with certain types of messages to prevent the
system from replying to valid requests.
Sniffing occurs when an attacker captures information from a network to obtain user passwords. Many times this
technique provides the attacker with multiple user passwords. To prevent this, you should always encrypt your
password when it is stored on electronic media or transmitted across the network.
A dictionary attack and a brute force attack are very similar in that they both focus on cracking the password. The tools
used in dictionary and brute force attacks are sometimes referred to as password crackers.
Dictionary attacks employ the use of a dictionary of words as the password to repeatedly attempt to access a system
using a valid user account. To protect against dictionary attacks, a password complexity policy should be enforced that
requires using uppercase and lowercase characters, numbers, and symbols. A long dictionary attack can be executed
against an encrypted password file provided the attacker has access to the system, has read access to the password
file, and knows the encryption mechanism used to encrypt the password file.
Brute force attacks, sometimes known as exhaustive attacks, usually cycle through a more substantial number of
possibilities that can include characters, numbers, and symbols. An account length policy that requires a longer
password would affect the time a manual brute force attack would take. A brute force attack can also be possible if a
token and a personal identification number (PIN) are used to access a system and the token performs offline checking
of the PIN. To protect against brute force attacks, an account lockout policy should be enforced that locks out a user's
account after a certain number of unsuccessful logins.
Social engineering attacks take advantage of user gullibility to discover user credentials. An example of a social
engineering attack is a call from an unknown user who identifies himself as a member of the IT department and
requests your credentials. The only way to protect against social engineering attacks is to educate your users in
recognizing and avoiding such attacks.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 27/102
Question #27 of 105 Question ID: 1105282
✗ A)
✗ B)
✓ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Password Threats
What is another term for two-factor authentication?
smart card authentication
user name/password authentication
strong authentication
biometric authentication
Explanation
Another term for two-factor authentication is strong authentication. Strong authentication uses two methods to
authenticate a user. This type of authentication can be implemented in many ways. Sometimes a user must provide a
user name and password, and must also use biometric authentication to verify identity. Other times a user must provide
a user name and password, and use a smart card to verify identity.
Strong authentication authenticates using something a person knows, has, or is. Any two of these can be included as
part of the authentication process.
Biometric authentication authenticates a user based on something the person is and conducts a one-to-one search to
verify an individual's claim of an identity. This includes fingerprints, iris scans, retinal scans, palm scans, and voice
prints.
Smart card authentication authenticates a user based on something the user has. The smart card is inserted into or
placed within the reading range of a smart card reader. Once the card is read, the user sometimes inputs a personal
identification number (PIN). User name/password authentication authenticates a user based on something the user
knows. The user name and password must be provided by the user.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 28/102
Question #28 of 105 Question ID: 1105342
✗ A)
✓ B)
✗ C)
✗ D)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Single-Factor versus Multi-Factor
Authentication
During a recent security audit at your organization, a rogue subject was discovered. You need to discover the access
rights for this subject only. Which entity should you review?
group
capability table
access control list (ACL)
access rights function
Explanation
You should review the subject's capability table. A capability table is used to display the access rights for a subject
pertaining to a certain table. Subjects are bound to capability tables.
A group is a subset of users that are grouped together based on their role, department membership, or other qualifying
criteria that the system administrator determines. Permissions can be assigned to groups to reduce administrative effort
for configuring access.
An access control list (ACL) is used to display the access rights subjects can take upon objects. Objects are bound to
ACLs.
There is no such thing as an access rights function.
The access control matrix model ensures that the appropriate access for objects is granted to subjects. It consists of a
list of subjects, a list of objects, a function that returns an object's type, and the matrix itself, where objects are columns
and subjects are rows. This model is commonly implemented using ACLs and capability tables. The rows of an access
control matrix indicate the capabilities that a user has to a number of resources. The columns of an access control
matrix indicate the capabilities that multiple users have to a single resource.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 29/102
Question #29 of 105 Question ID: 1105325
✗ A)
✗ B)
✓ C)
✗ D)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which activity is NOT covered under the confidentiality objective of the CIA triad?
social engineering
shoulder surfing
treason
dumpster diving
Explanation
Treason or subversion is not an activity that amounts to a breach of confidentiality. Therefore, treason cannot be
defined in the confidentiality objective of the Confidentiality, Integrity, and Availability (CIA) triad.
Treason or subversion refers to an attempt to destroy an authorized governing body. Treason is the crime of disloyalty
to one's nation or state. Confidentiality is the minimum level of secrecy maintained to protect sensitive information from
unauthorized disclosure.
All of the other options affect the confidentiality objective of the CIA triad.
Dumpster diving refers to searching the garbage collection area or dustbin to look for non-shredded confidential
documents. Dumpster diving can reveal confidential information that can affect the confidentiality and integrity of the
information to individuals. For example, non-shredded printouts containing project details can reach unauthorized
persons.
Shoulder surfing refers to examining someone's computer from behind to steal confidential information, such as user
passwords or information related to business. Such information can be used to break into the network or the system
and can affect the confidentiality and integrity of the information assets of the organization.
Social engineering refers to tricking someone into sharing classified information by disguising as an authorized person
or using people skills to obtain proprietary or confidential information. Social engineering can be used if the technical
methods of intruding into a network are inappropriate. Social engineering is used to reveal confidential information,
such as system passwords, which are later used by the intruder to gain unauthorized access either to the system or to
the network.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 30/102
Question #30 of 105 Question ID: 1105361
✗ A)
✗ B)
✓ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Dumpster Diving
As a consultant, you have created a new security structure for a company that requires that passwords be issued to all
employees. The company's IT department has made several password distribution recommendations. Which method is
the most secure?
Send an e-mail to each user that contains the user's password.
Issue the same password to all users. Upon initial logon, force the users to
change their passwords.
Instruct users to report to the IT department with proper identification for
password setup.
Instruct to users to send a password request e-mail.
Explanation
You should instruct users to report to the IT department with proper identification for password setup. This will ensure
that users access the appropriate account to create a user password.
Instructing the users to send a password request e-mail is not secure. E-mail is not encrypted. Therefore, anyone can
intercept e-mail messages.
Sending an e-mail to each user that contains the user's password is not secure because e-mail can be intercepted.
Issuing the same password to all users and forcing the users to change their passwords upon initial logon is not secure.
Initially, any user would be able to access another user's account, especially if you use a common naming scheme for
the user accounts. If a user accessed another user's account, he could change that user's password and access all of
the user's data.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 31/102
Question #31 of 105 Question ID: 1105324
✗ A)
✓ B)
✗ C)
✗ D)
Question #32 of 105 Question ID: 1114763
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Provisioning Life Cycle
You have been asked to implement a RADIUS solution that allows the usage of Voice over IP (VoIP) and wireless
services. Which RAIDUS implementation should you use?
TACACS
Diameter
XTACACS
TACACS+
Explanation
You should use Diameter. Diameter was created to address new technologies that RADIUS was not designed to
handle, including Voice over IP (VoIP) and wireless services. Although Diameter was designed to be backward
compatible with RADIUS, some RADIUS servers have trouble working with Diameter servers.
Terminal Access Controller Access Control System (TACACS) is the CISCO implementation of RADIUS. TACACS is
the first generation and combines the authentication and auditing process. XTACACS is the second generation and
separates the authentication, authorization, and auditing processes. TACACS+ is the third generation and provide all
the features of XTACACS along with extended two-factor, dynamic password user authentication.
Objective: Identity and Access Management (IAM)
Sub-Objective: Integrate identity as a third-party service
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, RADIUS and TACACS+
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 32/102
✗ A)
✗ B)
✗ C)
✗ D)
✗ E)
✓ F)
Question #33 of 105 Question ID: 1105357
✗ A)
Company management has decided to implement group policies to ensure that the company's security policies are
enforced across the organization. You must develop the appropriate group policies for your company. Which entities
can you manage with these new policies?
a. users
b. client computers
c. server computers
d. domain controllers
option d
none of the options
option a
option b
option c
all of the options
Explanation
Group policies can be used to manage users, client computers, server computers, and domain controllers. Group
policies are the most efficient way to manage a large number of users or computers. For example, you can configure a
group policy that forces users to change their password at the next login.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Credential Management Systems
You need to determine which users are accessing a Windows Server 2008 computer from the network. Which audit
category should you enable?
Audit Account Logon Events
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 33/102
✗ B)
✓ C)
✗ D)
Question #34 of 105 Question ID: 1192955
✗ A)
✗ B)
✓ C)
✗ D)
Audit Account Management
Audit Privilege Use
Audit Object Access
Explanation
The Audit Privilege Use audit category will audit all instances of users exercising their rights. This category audits all
rights found in the Local Security Policy under Security Settings\Local Policies\User Right Assignment. The Access the
computer from the network policy allows users to access a computer from the network.
The Audit Account Logon Events audit category tracks all attempts to log on with a domain user account when enabled
on domain controllers. If you enable this policy on a workstation or member server, it will record any attempts to log on
by using a local account stored in that computer's user accounts database.
The Audit Account Management audit category monitors changes to user accounts and groups.
The Audit Object Access audit category tracks access to all objects outside Active Directory.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Accountability
Overview: Audit Privilege Use, http://www.ultimatewindowssecurity.com/Wiki/AuditCategory-PrivilegeUseLegacy.ashx
You are implementing enterprise access management for your company. You need to ensure that the system you
implement allows you to configure a trust with another company such that your users can access the other company's
network without logging in again. What should you implement to ensure that this trust can be configured?
biometrics
smart cards
federated identity management
password management
Explanation
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 34/102
Question #35 of 105 Question ID: 1114766
To ensure that you can configure a trust with another company that allows your users to access the other company's
network without logging in again, you should implement federated identity management. Federated identity
management allows single sign-on (SSO) between companies.
Password management is necessary in any enterprise access management implementation. If passwords are not
managed properly, security breaches are likely to occur. However, password management will not ensure that the trust
between the companies can be configured.
Smart cards provide a more secure login and authentication mechanism than passwords. However, smart cards will not
ensure that the trust between the companies can be configured.
Biometrics provides a more secure login and authentication mechanism than passwords or smart cards. However,
biometrics will not ensure that the trust between the companies can be configured.
Enterprise access management (EAM) provides access control management services to Web-based enterprise
systems. EAM provide SSO, role-based access control, and accommodation of a variety of authentication mechanisms,
including passwords, smart cards, and biometrics.
Objective: Identity and Access Management (IAM)
Sub-Objective: Integrate identity as a third-party service
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Federated Identity Management
Trends in enterprise identity and access management, http://searchsecurity.techtarget.com/tip/Trends-in-enterprise-
identity-and-access-management?ShortReg=1&mboxConv=searchSecurity_RegActivate_Submit&
Worst practices: Three big identity and access management mistakes, http://searchsecurity.techtarget.com/tip/Worst-
Practices-Three-big-identity-and-access-management-mistakes
You are designing the procedures for your company's user account review. Which actions should you include as part of
this review?
a. Ensure that all accounts are active.
b. Ensure that there are no duplicate accounts.
c. Ensure that all active accounts have a password.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 35/102
✗ A)
✗ B)
✗ C)
✗ D)
✗ E)
✗ F)
✓ G)
✗ H)
Question #36 of 105 Question ID: 1105352
✗ A)
✓ B)
d. Ensure that all passwords follow the complexity rules.
e. Ensure that all accounts conform to the principle of least privilege.
option e
all of the options
option c
option b
options a and b only
option a
options c and e only
option d
Explanation
When implementing user account reviews, you should ensure that all active user accounts have a password and that
all user accounts conform to the principle of least privilege.
It is not necessary to ensure that all accounts are active. In most systems, there are usually some inactive accounts.
These accounts may be maintained for employees on extended leave. In addition, it is not necessary to ensure that
there are no duplicate accounts. Duplicate accounts may be necessary in some cases.
It is not necessary to ensure that all passwords follow the complexity rules. This is part of password maintenance, not
account maintenance.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identity and Account Management
Which access control model is usually associated with a multi-level security policy?
discretionary access control (DAC)
mandatory access control (MAC)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 36/102
✗ C)
✗ D)
Question #37 of 105 Question ID: 1105274
✗ A)
✓ B)
✗ C)
✗ D)
role-based access control (RBAC)
rule-based access control
Explanation
A multi-level security policy is usually associated with mandatory access control (MAC). In MAC, sensitivity labels, also
called security labels, are attached to all objects. These sensitivity labels contain a classification. For a subject to have
write access to an object in a multi-level security policy, the subject's sensitivity label must dominate the object's
sensitivity label.
Rule-based access control is an access control technique, not an access control model.
Role-based access control (RBAC) allows access to resources be controlled by the user's role.
Discretionary access control (DAC) allows the resource owner to determine the level of access that users have.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Mandatory Access Control
During a recent financial transaction, a digital signature and digital cash were provided. The digital cash is marked as
identified. What is meant by this?
the identity of the financial institution is known
the identity of the cash holder is known
the identity of the merchant is known
the monetary type of the cash is known
Explanation
When digital cash is marked as identified, the identity of the cash holder is known. When digital cash is marked as
anonymous, the identity of the cash holder is unknown.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 37/102
Question #38 of 105 Question ID: 1192942
✗ A)
✓ B)
✗ C)
✗ D)
Anonymous digital cash does not identify the cash holder and uses blind signature schemes. Identified digital cash
uses conventional digital signatures to identify the cash holder.
None of the other options are correct.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
Digital cash, http://www.cs.bham.ac.uk/~mdr/teaching/modules06/netsec/lectures/DigitalCash.html
An attacker wants to discover which front-end devices are in use on your organization's network. Which type of device
should the attacker use?
Trojan horses
probes
spyware
firewalls
Explanation
An attacker should use probes to discover which front-end devices are in use on your organization's network.
Firewalls are used to allow or deny certain traffic into or out of a network. Spyware is a type of malware that spies on
the user and records the user’s actions and often entries. A Trojan horse is a type of malware that misleads users of its
true intent.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 38/102
Question #39 of 105 Question ID: 1111753
✓ A)
✗ B)
✗ C)
✗ D)
How to Handle and Identify Network Probes,
http://cecs.wright.edu/~pmateti/Courses/499/Probing/How%20to%20Handle%20Network%20Probes.htm
Management asks you to provide a list of all access controls that will detect when a security issue occurs. Which
control is an example of this?
audit log
access control list (ACL)
encryption
router
Explanation
An audit log is an example of a detective technical control because it detects security breaches once they have
occurred. An audit log is also considered to be a compensative technical control.
Routers, firewalls, and access control lists (ACLs) are examples of preventative technical controls because they
prevent security breaches. They are all also compensative technical controls.
There are three categories of access control: technical, administrative, and physical controls. A technical control is a
control that is put into place to restrict access. Technical controls work to protect system access, network architecture
and access, control zones, auditing, and encryption and protocols. An administrative is developed to dictate how
security policies are implemented to fulfill the company's security goals. Administrative controls include policies and
procedures, personnel controls, supervisory structure, security training, and testing. A physical control is a control that
is implemented to secure physical access to an object, such as a building, a room, or a computer. Physical controls
include badges, locks, guards, network segregation, perimeter security, computer controls, work area separation,
backups, and cabling.
The three access control categories provide seven different functionalities or types:
Preventative - A preventative control prevents security breaches and avoids risks.
Detective - A detective control detects security breaches as they occur.
Corrective - A corrective control restores control and attempts to correct any damage that was inflicted during a
security breach.
Deterrent - A deterrent control deters potentials violations.
Recovery - A recovery control restores resources.
Compensative - A compensative control provides an alternative control if another control may be too expensive. All
controls are generally considered compensative.
Directive - A directive control provides mandatory controls based on regulations or environmental requirements.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 39/102
Question #40 of 105 Question ID: 1114756
✗ A)
✗ B)
✗ C)
✗ D)
✗ E)
✓ F)
✗ G)
Each category of control includes controls that provide different functions. For example, a security badge is both a
preventative physical control and a compensative physical control. Monitoring and supervising is both a detective
administrative control and a compensative administrative control.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Accountability
In which situations should an organization instruct its workforce to use multiple fingers for authentication to a biometric
system?
a. The quality of user fingerprints is not sufficient.
b. The organization needs to minimize type 1 errors.
c. The organization needs to enable faster authentication of employees.
d. The organization needs multiple reference records and thus a lower FAR.
option a
option d
option c
options c and d
options b and c
options a and b
option b
Explanation
A large percentage of the workforce does not carry fingerprint quality that is good enough for a fingerprint scan. This
implies that it is difficult for a biometric system to accurately verify user credentials. Multiple fingers may be used to
provide multiple patterns to a biometric system. This ensures higher accuracy level during authentication. The
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 40/102
Question #41 of 105 Question ID: 1192949
✗ A)
✓ B)
✗ C)
✗ D)
✓ E)
significantly improved statistics obtained by using scan of multiple fingerprints results in an improved False Rejection
Rate (FRR) and False Acceptance Rate (FAR).
Using multiple fingers will not enable faster authentication of employees. The time taken by a biometric system to
process user credentials does not depend on the number of fingerprints used for the authentication process. A different
system, such as a finger scan system, would allow faster authentication because there are not as many features to
compare in some other systems.
A biometric system creates a single reference record for every user, irrespective of the number of fingerprints that have
been scanned during the enrollment process. FAR and FRR are not affected by the size or number of the reference
records.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Physiological Characteristics
Your organization has deployed a hand geometry scan biometric system that will control access to the data processing
center. Which characteristic are NOT evaluated by this biometric system? (Choose all that apply.)
width of the hand
ridge endings
width of the fingers
length of the fingers
skin tone of the hand
Explanation
A biometric system performing a hand geometry scan will not evaluate the ridge endings on fingers or characteristics of
the skin of the hand. Ridge endings and bifurcations on fingers are evaluated by a fingerprint scan biometric system,
not by a hand geometry scan biometric system.
The geometry of a person's hand can be used as the basis of a biometric system. The geometry of a person's hands,
i.e. shape of the hand, length of the fingers and width of the hand, are unique characteristics. A biometric system
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 41/102
Question #42 of 105 Question ID: 1114758
performing a hand geometry scan will identify those characteristics to authenticate a user. The system compares the
user’s attributes to the reference records that were gathered during the enrollment phase. If the attributes match, the
user is granted access. Hand geometry scan-based biometric systems can use either the mechanical or the image
detection technique to authenticate user credentials. Both of the methods verify hand attributes of a user for
authentication purposes.
There are currently no systems used to scan and identify unique characteristics of a person's skin that can be used to
authenticate the person. The results for a skin scan are not accurate, but they can be stored for reference. An important
reason for NOT using a skin scan as a biometric system for employee authentication is the lack of any accurate and
acceptable standard. Without such a standard, the authentication could be questioned.
A facial scan is based on an individual's bone structure, nose ridge, eye width, forehead structure, and chin shape.
Such characteristics are captured by a camera and compared with the reference records of an employee gathered
during the enrollment process.
Fingerprint systems match unique characteristics, referred to as minutiae matching, to authenticate or deny an access
request. A fingerprint biometric system based on minutiae matching compares the location and direction of the ridge
endings and bifurcations of a fingerprint.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Physiological Characteristics
Your organization is considering launching an Identity as a Service (IDaaS) solution via a cloud provider. You need
IDaaS to provide the following services:
A. single sign-on
B. provisioning
C. password management
D. access governance
Which are usually included as part of this solution?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 42/102
✗ A)
✗ B)
✓ C)
✗ D)
✗ E)
Question #43 of 105 Question ID: 1114762
C and D only
A, B, and C
All of the services
A and B only
B and C only
Explanation
An IDaaS solution via a cloud provider usually includes the following:
Single sign-on
Provisioning
Password management
Access governance
The solution may also include the following:
Granular access controls
Centralized administration
Integration with internal directory services
Integration with external services
Objective: Identity and Access Management (IAM)
Sub-Objective: Integrate identity as a third-party service
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identity as a Service (IDaaS)
Implementation
Which access control methods are considered non-discretionary in nature?
a. DAC
b. MAC
c. RBAC
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 43/102
✗ A)
✗ B)
✗ C)
✓ D)
✗ E)
✗ F)
Question #44 of 105 Question ID: 1105304
✓ A)
✗ B)
d. CBAC
option b
options c and d only
option c
options b, c, and d only
option d
option a
Explanation
Role-based access control (RBAC), mandatory access control (MAC), and context-based access control (CBAC) are
considered non-discretionary in nature. Non-discretionary methods are those that rely strictly on security policies or
security levels to determine object access.
Discretionary access control (DAC) allows the resource owner to determine the level of resource access given to a
user.
Non-discretionary access control methods usually use a central authority whose responsibility is to determine a
subject's access rights based on a security policy. Because the access control authority does not design the security
policy but enforces it, the access control is based on the user's role, responsibilities, or duties within the organization.
Lattice-based access control is another example of a non-discretionary access control method.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Your organization wants to verify an employee by the pattern of blood vessels at the back of the employee's eyes.
Which biometric system is recommended for authentication in this situation?
retina scan
facial scan
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 44/102
✗ C)
✗ D)
Question #45 of 105 Question ID: 1113988
✓ A)
✗ B)
iris scan
eye recognition
Explanation
A retina scan is a biometric system that examines the unique pattern of the blood vessels at the back of an individual's
eye. In a retina scan, a beam is projected inside the eye to capture the pattern, and compare it with the reference
records of the individual. The employee is authenticated only if a match is found. Retina scan provides better accuracy
than iris scan.
There are some disadvantages of using a retina scan. Employees are sometimes reluctant to pass through a retina
scan because the test is considered too intrusive. Also, retina scan results can alter over a period of time. Other
disadvantages are the expense, the enrollment time, and the complexity involved in its implementation.
An iris scan is based on the examination of unique patterns, colors, rings, and coronas of an individual's eye. Each
characteristic is captured by a camera and compared with the reference records of an employee gathered during the
enrollment process. Iris scanning provides better accuracy than fingerprinting, voice recognition, or facial recognition.
A facial scan is based on an individual's bone structure, nose ridge, eye width, forehead structure, and chin shape.
Such characteristics are captured by a camera and compared with the reference records of an employee gathered
during the enrollment process.
Eye recognition is not a biometric scan technology used for the authentication of an individual.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Physiological Characteristics
Your organization has been awarded a federal government contract. You have been instructed to set up a server with
an operating system that will enforce the access control rules required by the federal government. Which access
control method will be implemented?
mandatory access control
identity-based access control
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 45/102
✗ C)
✗ D)
Question #46 of 105 Question ID: 1105355
✗ A)
✗ B)
✗ C)
✓ D)
role-based access control
discretionary access control
Explanation
Mandatory access control (MAC) will be implemented. Security labels, such as secret, top secret, and so on, are used.
This model requires that an operating system specifically designed for it must be used to enforce its rules. SE Linux
and Trusted Solaris are two examples of operating systems specifically designed for MAC environments.
Most standard operating systems can be used to enforce the other access control methods given. They can be
implemented using user accounts, group accounts, and permissions.
Under MAC, only an administrator can change the category or classification of a subject or object. An access right that
is expressly forbidden in the access control policy can never be granted in a MAC environment.
Identity-based access control is a type of discretionary access control.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which type of virus includes protective code that prevents outside examination of critical elements?
phage virus
stealth virus
companion virus
armored virus
Explanation
An armored virus includes protective code that prevents examination of critical elements, such as scans by anti-virus
software. The armor attempts to make it difficult to destroy the virus.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 46/102
Question #47 of 105 Question ID: 1105296
✗ A)
✗ B)
✗ C)
✓ D)
A companion virus attaches to legitimate programs and creates a program with a different file extension. When the user
attempts to access the legitimate program, the companion virus executes in place of the legitimate program.
A phage virus modifies other programs and databases. The only way to remove the virus is to reinstall the infected
applications.
A stealth virus prevents detection by hiding from applications. It may report a different file size than the actual file size
as a method of preventing detection.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, Virus
Armored virus, http://www.webopedia.com/TERM/A/Armored_Virus.html
You have been asked to implement a biometric system that analyzes both the physical motions performed when a
signature is signed, and the specific features of the signature itself. Which biometric method should you deploy?
hand geometry
keystroke dynamics
digital signature
signature dynamics
Explanation
You should implement signature dynamics. Signature dynamics is the biometric method that analyzes both the physical
motions performed when a signature is signed and the specific features of a person's signature. It usually captures the
speed of the signing, the pressure of the pen when signing, and the way the pen is held.
Hand geometry is a biometric method that analyzes the length and width of the hand. A digital signature is a method
whereby the identity of the person sending the data is verified. It ensures that the original data has not been modified.
Keystroke dynamics records a user's speed and motion when entering a phrase and compares it to stored data.
Dynamic signature verification (DSV) is another term for signature dynamics.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 47/102
Question #48 of 105 Question ID: 1105281
✗ A)
✗ B)
✗ C)
✓ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Characteristic Factors
Which facial identification biometric system is most widely used?
automatic face processing
eigenfaces
neural network
feature analysis
Explanation
Feature analysis is the most widely used facial identification biometric system. While it is very similar to the eigenfaces
technique, features analysis allows for changes in facial expressions, such as frowning and smiling.
The eigenfaces technique is not as widely used as the feature analysis technique. Eigenfaces uses a two dimensional,
global grayscale to identify the distinctive characteristics of a person's face. A variation of the eigenfaces technique is
being developed called eigenfeatures. It is based on facial metrics.
Neural networks are not as widely used because of their complexity. They compare the features of the live face with
features of the reference face, or the stored face. Neural networks can identify faces in less-than-ideal circumstances.
Automatic face processing uses distance ratios between facial features. It is not as robust as the other technologies,
but may be a good choice in dimly lit situations.
Facial identification system use detection and recognition to process the facial images.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 48/102
Question #49 of 105 Question ID: 1192944
✗ A)
✗ B)
✗ C)
✓ D)
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Characteristic Factors
You have been asked to control the usage of portable USB drives in your Windows domain. What is the best way to do
this using the least administrative effort?
Disable USB devices via a local group policy.
Remove the driver.cab file from every computer.
Disable USB via the computers' BIOS programs.
Disable USB devices via a domain group policy.
Explanation
You should disable USB usage via a domain group policy. This will provide a centralized means to manage USB
devices. Later, if a particular user or group needs to use a USB device, you can create a different USB drive policy for
that user or group and deploy it at the appropriate domain level. The two main security risks of USB drives are their
ease of concealment and data capacity. It is very easy to hide a USB drive or disguise it as something else. In addition,
the data capacity for USB devices continues to increase, allowing hundreds of gigabytes (GBs) of information to be
stored on a single device.
You should not disable USB usage via a local group policy. This would require that the group policy be implemented at
every computer. In addition, it would be possible for a local user to change this setting. If you need to enable USBs for
a user or group after disabling USB use via a local group policy, it would be necessary to change the policy at each
computer.
You should not disable USB usage via the computers' BIOS programs. This would require changing settings at every
computer. It would also be possible for local users to re-enable USB usage locally. Later, if you needed to enable USBs
for a user or group, it would be necessary to change the BIOS setting at each computer.
You should not remove the driver.cab file from every computer. While this would prevent the installation of most USB
devices, it would also affect the installation of any device that requires Windows driver files.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 49/102
Question #50 of 105 Question ID: 1105288
✗ A)
✓ B)
✗ C)
✗ D)
References:
Disabling USB Storage with Group Policy, HYPERLINK
"http://www.windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html" \t "sean"
http://www.windowsdevcenter.com/pub/a/windows/2005/11/15/disabling-usb-storage-with-group-policy.html
Your company currently deploys Kerberos to provide authentication for all users on the network. Management has
recently heard of security weaknesses in the Kerberos protocol. They have asked you to implement an authentication
protocol that addresses the weaknesses in Kerberos. Which protocol should you deploy?
TACACS
SESAME
RADIUS
XTACACS
Explanation
You should deploy Secure European System for Applications in a Multi-vendor Environment (SESAME). SESAME was
developed to improve upon the weaknesses in Kerberos. Unlike Kerberos, SESAME uses both symmetric and
asymmetric encryption to protect data exchange and to authenticate subjects. SESAME uses a trusted authentication
server at each host. It incorporates two certificates or tickets, one for authentication and one defining access privileges.
It uses public key cryptography for the distribution of secret keys
RADIUS, TACACS, and XTACACS are all authentication protocols for remote users. None of these services was
developed to improve on the weaknesses in Kerberos.
Kerberos and SESAME provide a centralized entity used to authenticate users. This same entity is responsible for
helping ensure that subjects are properly authorized using tokens or tickets. Therefore, both services address
authorization and authentication.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, SESAME
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 50/102
Question #51 of 105 Question ID: 1105299
✗ A)
✓ B)
✗ C)
✗ D)
What is the most common form of identification and authentication?
biometrics
user identification with reusable password
smart cards
two-factor authentication
Explanation
The most common form of identification and authentication is user identification with reusable password. User
identifications (IDs) and passwords are something a user knows.
Biometrics, while not the most common form of identification and authentication, is more secure than using user
identification and passwords. Biometrics is something you are. A fingerprint, for instance, would be more secure than a
password, because your fingerprint will never change.
Smart cards, something you have, are not commonly implemented because of expense. However, they are more
secure than using user identification and passwords. Smart cards are a Type 2 authentication factor.
Two-factor authentication must include two of the following three categories: something you know (Type I), some you
have (Type II), or something you are (Type III). Two-factor authentication is not as common as using user identification
and passwords.
Passwords are considered the weakest authentication mechanism. Pass phrases are somewhat stronger because of
their complexity.
When assessing identification and authentication controls, it is good to maintain a list of authorized users and their
approved access levels. A password policy should be implemented that forces users to change their passwords at
predefined intervals. User accounts should be terminated when employment is terminated, or suspended while the user
is on vacation or leave. Account lockout policies can ensure that unsuccessful login attempts will eventually result in an
account being locked out.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 51/102
Question #52 of 105 Question ID: 1105314
✗ A)
✓ B)
✗ C)
✗ D)
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identification and Authentication
Implementation
What enables remote access users to log on to a network through a shared authentication database?
DES
RADIUS
SSH
IPSec
Explanation
Remote Access Dial-In User Service (RADIUS) enables remote access users to log on to a network through a shared
authentication database. When a remote user logs on to a network that uses RADIUS, a RADIUS client sends a remote
user's credentials to a RADIUS server. A RADIUS server checks a remote user's credentials and sends a reply to the
RADIUS client. If the remote user's credentials are valid, then the RADIUS client will allow the remote user to log on to
the network. If the remote user's credentials are invalid, then the RADIUS client will not allow the remote user to log on
to the network. A war dialer program is typically used by attackers to access a company's internal network through its
remote access system.
Data Encryption Standard (DES) is a private key encryption standard that can be used to encrypt files. Internet Protocol
Security (IPSec) can be used to digitally sign and encrypt Internet Protocol (IP) packets. Secure Shell (SSH) is a
method for securing sessions between network computers. SSH is often used in Unix environments, but is also
available for Windows and OS/2 computers.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, RADIUS and TACACS+
RADIUS Protocol Security and Best Practices, http://technet.microsoft.com/en-us/library/bb742489.aspx
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 52/102
Question #53 of 105 Question ID: 1192950
✓ A)
✗ B)
✗ C)
✗ D)
Question #54 of 105
A military research institution is planning to implement a biometric system to ensure complete privacy and
confidentiality within the institution. Four different vendors have given the specifications of their biometric systems.
Considering the following specifications, which option is recommended for the institution?
Vendor A: Type 1 errors 80%, Type 2 errors 1 %, CER 4%
Vendor C: Type 1 errors 65%, Type 2 errors 8 %, CER 35%
Vendor D: Type 1 errors 15%, Type 2 errors 50 %, CER 30%
Vendor B: Type 1 errors 45%, Type 2 errors 10 %, CER 8%
Explanation
The biometric system with the crossover error rate (CER) value of 4 is better than the other biometric devices.
Military research institutions are high-security environments. Therefore, type 2 errors should be kept to a minimum. In a
military institution, a high type 1 error count is not of prime importance. The primary consideration should be to ensure
that the biometric device does not allow an unauthorized intruder to have access to critical systems.
Rejection of authorized users by a biometric system is termed as a type 1 error. Granting of access to unauthorized
users by a biometric system is termed as a type 2 error. The accuracy of biometric systems is based on the False
Rejection Rate (FRR) that implies type 1 errors and the False Acceptance Rate (FAR) that implies Type 2 errors. The
CER is the point at which the FRR equals the FAR. The CER rating for a biometric system is the most critical
measurement to measure the accuracy of the system. A CER value of 5 is better than a CER value of 10. For example,
a voice pattern-based biometric systems has the highest CER value.
A high value of type 1 error implies that many valid authentication attempts are being rejected, and the employees'
productivity could be negatively affected, causing less user acceptance. A high value of type 2 error implies that
unauthorized people are being falsely authenticated by the biometric system and that intruders are being allowed to
gain access to the critical resources.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 53/102
Question ID: 1105316
✗ A)
✓ B)
✗ C)
✓ D)
Question #55 of 105 Question ID: 1114765
In Kerberos 5, which entity grants a ticket? (Choose two.)
KDC
AS
TGT
TGS
Explanation
In Kerberos, a client is granted a TGT from an Authentication Server (AS), which is sometimes referred to as a Ticket
Granting Server (TGS). The client then sends its TGT to a Key Distribution Center (KDC), and the KDC sends a
session key to the client. The client then uses the session key to gain access to resources on a Kerberos network.
Because the KDC relies on a timestamp to determine the age of a request, a timestamp is included during key
exchanges. If the timestamp is older than the allowed grace period for requests, then it is possible that a hacker
intercepted the request. Therefore, a network that relies on Kerberos for authentication requires some type of time
synchronization service for hosts on a network.
After a client is authenticated on a network that uses Kerberos 5, the client is granted a ticket-granting ticket (TGT). To
ensure that tickets expire correctly, clock synchronization used in Kerberos authentication. In a Kerberos exchange
involving a message with an authenticator, the authenticator contains the client ID and timestamp.
Kerberos is a network authentication protocol. It is designed to provide strong authentication by using secret-key
cryptography. Kerberos is available in many commercial products. The Kerberos protocol uses strong cryptography so
that a client can prove its identity to a server (and vice versa). After a client and server have used Kerberos to prove
their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about
their business. Because of all this, Kerberos addresses confidentiality and integrity. Kerberos provides an integrity
check service for messages between two entities through the use of a checksum.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Kerberos
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 54/102
✗ A)
✗ B)
✗ C)
✗ D)
✗ E)
✓ F)
✗ G)
Your company has several UNIX servers on its network. These servers were configured before your employment in the
company and prior to the company establishing a server security policy. You are concerned about the root account on
these UNIX servers. Which security guidelines should you follow?
a. Disable the root account.
b. Only allow root login via the remote shell.
c. Only allow root login via the local console.
d. Limit administrator access to the root account.
option c
all of the options
option b
option d
options a and b only
options c and d only
option a
Explanation
You should only allow root login using the local console. In addition, you should limit administrator access to the root
account.
It is not necessary to disable the root account on a UNIX server. It is a super-user account that allows administrators to
perform important administrative functions.
You should not allow root login using only the remote shell. If you need to access a UNIX ystem remotely using the root
account, you should use the su command. A software interface to the operating system that implements access control
by limiting the system commands that are available to a user is called a restricted shell.
If the root account is ever compromised, you should reset all user passwords.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Password Types and Management
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 55/102
Question #56 of 105 Question ID: 1105333
✓ A)
✗ B)
✗ C)
✗ D)
Which type of restriction does NOT help to limit or control access to a system?
single sign-on
location
time of day
transaction type
Explanation
Single sign-on is not a restriction. Single sign-on allows a user to enter credentials one time to access all resources on
the network. This principle protects against the need for users to remember multiple user names and passwords that
can sometimes occur in client/server environments.
All of the other options are restrictions that help to limit or control access to a system.
You can configure access restrictions based on physical or logical location. This includes configuring certain functions
so that they can only be performed locally using an interactive logon that occurs physically at the server's console, not
from a remote computer. You can also configure location restrictions whereby network addresses are used to limit
remote connections to a computer.
You can configure access restrictions based on time of day. This includes configuring the server so that certain users or
computers can only log on during certain hours. However, if for some reason a user must work outside the configured
hours, access would be denied.
You can configure access restrictions based on transaction type. This includes configuring permissions to individual
users based on what they are trying to do. You could allow certain users to only read a particular file, but allow other
users to both read and edit a particular file.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Content-Dependent Versus Context-
Dependent
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 56/102
Question #57 of 105 Question ID: 1105271
✗ A)
✗ B)
✓ C)
✗ D)
What is employed when user accounts are created by one employee and user permissions are configured by another
employee?
a two-man control
a collusion
separation of duties
rotation of duties
Explanation
Separation of duties is employed when user accounts are created by one employee and user permissions are
configured by another employee. An administrator who is responsible for creating a user account should not have the
authorization to configure the permissions associated with the account. Therefore, duties should be separated.
Collusion is the involvement of more than one person in fraud. Separation of duties drastically reduces the chances of
collusion and helps prevent fraud.
A two-man control implies that two operators review and approve each other's work. A two-man control acts as a
crosscheck and reduces chances of fraud, minimizing the risks associated with operations involving highly sensitive
information. An operator generally performs disk or tape mounting, backup and recovery, and handling hardware. They
usually do not perform data entry.
Rotation of duties or job rotation implies the ability of an employee to carry out tasks of another employee within the
organization. In an environment using job rotation, an individual can perform the tasks of more than one role in the
organization. This maintains a check on other employees' activities, provides a backup resource, and acts as a
deterrent for possible fraud.
Separation of duties requires the involvement of more than one individual to accomplish a critical task. Separation of
duties ensures that no individual can compromise a system and is considered valuable in deterring fraud. Separation of
duties can be either static or dynamic. Static separation of duties refers to the assignment of individuals to roles and to
the allocation of transactions to roles. In static separation of duties, an individual can be either an initiator of the
transaction or the authorizer of the transaction. In dynamic separation of duties, an individual can have a dual role
where he can initiate as well as authorize transactions.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 57/102
Question #58 of 105 Question ID: 1105344
✗ A)
✗ B)
✗ C)
✓ D)
Question #59 of 105 Question ID: 1105266
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management,
Separation of Duties in Information Technology, http://www.sans.edu/research/security-laboratory/article/it-separation-
duties
You are a contractor for an organization that uses mandatory access control (MAC). What is the most important entity
in this environment?
owner-determined controls
role-based controls
access control lists (ACLs)
security label
Explanation
Security labels are the most important entity and are required in a mandatory access control (MAC) environment. They
are comprised of a classification and different categories. The classification indicates the sensitivity level of the subject
or object, such as secret or top-secret. The different categories enforce the need-to-know rules by categorizing the
subjects and objects into categories, such as human resources and accounting. The categories should be determined
by the organization based on the organization access control needs.
Role-based controls are entities in a role-based access control (RBAC) environment. Access control lists (ACLs) are
lists of subjects that are authorized to access specific objects. They are used in many hardware implementations.
Owner-determined controls are used in a discretionary access control (DACL) environment.
Under MAC, labeling is required.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 58/102
✗ A)
✗ B)
✗ C)
✓ D)
Question #60 of 105 Question ID: 1113980
✗ A)
✓ B)
✗ C)
✗ D)
What is the appropriate order of actions for access control?
authentication, authorization, identification
authentication, identification, authorization
identification, authorization, authentication
identification, authentication, authorization
Explanation
The appropriate order of actions for access control is identification, authentication, and authorization.
Identification is the process of identifying a user based on a user name, user identification (ID), or account number.
Authentication is the process of validating the user with a second piece of information, usually a password, pass
phrase, or personal identification number (PIN). Authorization is the process of granting the user access to data based
on the user identity and permissions.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identification and Authentication
Implementation
Management has requested that Active Directory be implemented on your network. What is the function of this service?
It is the directory service used on a Novell network.
It is the directory service used on a Windows Server 2003 network.
It is the authentication service used on a Windows Server 2003 network.
It is the authentication service used on a Novell network.
Explanation
Active Directory is the directory service used on a Windows Server 2003 or 2008 network. A directory service is an
operating system feature that provides a central repository for locating system resources, including users, computers,
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 59/102
Question #61 of 105 Question ID: 1192951
✗ A)
✓ B)
✗ C)
✗ D)
and printers.
Active Directory is not used on a Novell network. The Novell equivalent to Active Directory is Novel Directory Service
(NDS).
The authentication service (AS), a part of Active Directory, performs authentication on behalf of the directory service.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Directory Services
Why should an organization NOT deploy a biometric system based on fingerprinting technology?
The CER value of the biometric system is very low.
Employees are reluctant to use a biometric system that scans their fingerprints.
The system demands immense overhead maintenance.
Authentication results are not always accurate and reliable.
Explanation
A biometric system based on fingerprinting has a low user-acceptance level. While enrolling for future authentication
attempts, employees in an organization are often reluctant to provide their fingerprints as credentials. One reason for
this is the possibility of law enforcement officials using corporate records during a criminal investigation. Therefore, the
organization may not prefer to deploy a biometric system based on the fingerprint scan technology. The most
commonly deployed biometric systems are based on iris scan and retina scan technologies.
When the CER value is low, a biometric system is a good choice and should be deployed. The crossover error rate
(CER) is the point at which the false rejection rate (FRR) equals the false acceptance rate (FAR). The CER is used to
compare different biometric devices. A biometric device with a low CER value is considered better than one with a high
CER value. A low CER value indicates a high level of accuracy. For example, a CER value of 5 is better than a CER
value of 10 because it indicates a lower number of errors.
High overhead maintenance is a secondary consideration while deploying the biometric solution.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 60/102
Question #62 of 105 Question ID: 1105267
✗ A)
✓ B)
✗ C)
✗ D)
Biometric systems are the most expensive authentication mechanisms. Depending on the security needs of the
organization, an organization might prefer to deploy a biometric system that meets the security requirements of
maintaining the confidentiality, integrity, and availability of critical resources.
A biometric system, such as a fingerprint scan, is a complex and highly sensitive authentication system that provides a
high level of accuracy and reliability because it verifies a unique personal attribute of a user. Attributes are unique for
different individuals. A biometric system can provide a higher level of accuracy than other authentication mechanisms,
such as passwords.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
Your manager suspects that your network is under attack. You have been asked to provide information regarding traffic
flow and statistical information for your network. Which tool should you use?
port scanner
protocol analyzer
vulnerability test
penetration test
Explanation
A protocol analyzer provides information regarding traffic flow and statistical information for your network. A protocol
analyzer is also referred to as a network analyzer or packet sniffer.
None of the other tools can provide this information. A port scanner provides a list of open ports and services on your
network. A penetration test determines whether network security is properly configured to rebuff hacker attacks. A
vulnerability test checks your network for known vulnerabilities and provides methods for protection against the
vulnerabilities.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 61/102
Question #63 of 105 Question ID: 1132525
✓ A)
✗ B)
✗ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Sniffing and Eavesdropping
Your network allows remote users to connect over the Internet. Recently, hackers have attempted to breach your
network. Management has decided to implement an authentication method that checks both ends of a connection.
Which authentication method should you implement?
mutual authentication
Kerberos authentication
biometric authentication
RADIUS authentication
Explanation
Mutual authentication checks the identity of both ends of the connection. It is often referred to as two-way
authentication.
Biometric authentication authenticates a user based on some physical quality, such as a fingerprint, iris scan, retina
scan, and so on.
Kerberos authentication requires a centralized management database of all user accounts and resource passwords. It
does not authenticate both ends of the connection. Windows 2000 and later implement Kerberos as the primary
mechanism for authenticating users requesting access to a network.
RADIUS provides centralized remote user authentication, authorization, and accounting. It does not authenticate both
ends of the connection.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 62/102
Question #64 of 105 Question ID: 1105359
✓ A)
✗ B)
✗ C)
✗ D)
Question #65 of 105 Question ID: 1114753
References:
Mutual authentication, http://searchfinancialsecurity.techtarget.com/sDefinition/0,sid185_gci1255857,00.html
You discover that a computer in your network has been infected by the C2MyAzz application. What is an effect of this
attack?
It captures user passwords as they are entered.
It monitors network traffic in real time.
It allows others to remotely control the infected computer.
It distributes incorrect IP address information for a specific host with the intent to
divert traffic from its true destination.
Explanation
C2MyAzz captures user passwords as they are entered.
Snort is an example of an application that monitors network traffic in real time. DNS poisoning distributes incorrect IP
address information for a specific host with the intent to divert traffic from its true destination. Back Orifice 2000 (BO2K)
allows others to remotely control the infected computer.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
PWS:Win32/C2myazz, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?
Name=PWS%3aWin32%2fC2myazz
When users log in to the network locally, they must provide their username and password. When users log in to the
network remotely, they must provide their username, password, and smart card.
Which statements are true regarding your organization's security?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 63/102
✗ A)
✗ B)
✗ C)
✗ D)
✗ E)
✓ F)
Question #66 of 105 Question ID: 1192943
a. The local network login uses one-factor authentication.
b. The local network login uses two-factor authentication.
c. The remote network login uses three-factor authentication.
d. The remote network login uses two-factor authentication.
options b and c
option b
option a
option c
option d
options a and d
Explanation
The local network login uses one-factor authentication. Although two items are being presented, both items are
considered to be something you know.
An example of a two-factor authentication system is an ATM card and personal identification number (PIN).
The remote network login uses two-factor authentication. Although three items are being presented, two items are
something you know and one is something you have.
Three-factor authentication uses something you know (i.e. username or password), something you have (i.e., smart
card), and something you are (i.e., biometric authentication).
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Single-Factor versus Multi-Factor
Authentication
One-, Two-, and Three-Factor Authentication, https://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-
authentication/
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 64/102
✗ A)
✗ B)
✗ C)
✓ D)
Question #67 of 105 Question ID: 1105310
✗ A)
✓ B)
✗ C)
✗ D)
Which attack is NOT directed only at virtual machines?
LDT
RedPill
Scooby Doo
Man-in-the-middle
Explanation
A man-in-the-middle attack is not an attack on virtual machines only. It is an attack that uses eavesdropping to capture
authentication information.
Scooby Doo, RedPill, and LDT are all attacks that target virtual machines.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
Attacks on More Virtual Machine Emulators, HYPERLINK "http://pferrie.tripod.com/papers/attacks2.pdf" \t "sean"
http://pferrie.tripod.com/papers/attacks2.pdf
Which characteristic of a biometric device should be considered if an organization wants to deploy a convenient
authentication procedure for employees without compromising the security in the facility?
high FRR
low FRR
high FAR
low FAR
Explanation
A low false rejection rate (FRR) of a biometric system is the primary consideration for an organization that seeks to
ensure a convenient authentication procedure for the users. A low FRR value implies a high level of user acceptance
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 65/102
Question #68 of 105 Question ID: 1192941
✗ A)
✗ B)
✓ C)
✗ D)
and throughput but provides low security. The accuracy of the biometric systems depends on the FRR, which is termed
as a type 1 error, and the false acceptance rate (FAR), which is termed as a type 2 error.
A low FAR or type 2 error should be sought when security, not convenience is the primary concern. The FAR value
should be low if the security of the organization is the primary concern. A low FAR value ensures that unauthorized
users are not granted access to critical resources.
A high FAR is never acceptable because this means that users are allowed access that should not be.
A high FRR will frustrate users because valid users may be prevented access.
The crossover error rate (CER) is the point at which the FRR equals the FAR. The CER rating for a biometric system is
the most critical measurement used to determine the accuracy of the system. A CER value of 5 is better than a CER
value of 10.
The rejection of valid user credentials by a biometric system is termed as a type 1 error. Granting access to an
unauthorized user is termed as a type 2 error. A high number of type 1 errors negatively affects the employees'
productivity and acceptance and indicates that many valid authentication attempts are being rejected. A high number of
type 2 errors indicates that unauthorized users are being falsely authenticated by the biometric system.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
A user reports that she is unable to access a file server. You discover that there are numerous open connections on the
file server from several servers and routers. Which type of attack has affected the file server?
man-in-the-middle attack
privilege escalation
denial-of-service (DoS) attack
back door attack
Explanation
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 66/102
Question #69 of 105 Question ID: 1105297
✗ A)
✗ B)
✓ C)
✗ D)
The file server has become the victim of a denial-of-service (DoS) attack. Because multiple routers and servers are
involved the attack, a distributed DoS (DDoS) attack has actually occurred. A DDoS attack usually involves hijacking
several computers and routers to use as agents in the attack, which overwhelms the bandwidth of the attack victim.
Examples of DoS attacks include ping of death, smurf, and TCP SYN.
Privilege escalation usually occurs by logging in to a system using your valid user account and then finding a way to
access files that you do not have permissions to access. This usually involves invoking a program that can change your
permissions, such as Set User ID (SUID) or Set Group ID (SGID), or invoking a program that runs in an administrative
context. There are several methods of dealing with privilege escalation, including using least privilege accounts,
privilege separation, and so on. Privilege escalation can also lead to DoS attacks. An example of privilege escalation is
gaining access to a file you should not access by changing the permissions of your valid account.
Back doors are hidden applications that vendors create to ensure that they are able to access their devices. After
installing new devices or operating systems, you need to ensure that all back doors and default passwords are either
disabled or reset. Often, hackers first attempt to use such back doors and default passwords to access new devices.
A man-in-the-middle attack occurs when a hacker intercepts messages from a sender, modifies those messages, and
sends them to a legitimate receiver.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, DoS/DDoS
Network Security: DoS versus DDoS attacks, http://www.crime-research.org/articles/network-security-dos-ddos-attacks/
Your company's authentication system requires that a user input his user ID and password. Management has
requested that you implement a biometric system that can work in conjunction with the password to provide increased
security. Which biometric method should you deploy?
password encryption
password checkers
keystroke dynamics
password aging
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 67/102
Question #70 of 105 Question ID: 1105340
✗ A)
✓ B)
✗ C)
✗ D)
Explanation
You should deploy keystroke dynamics. Keystroke or keyboard dynamics can work in conjunction with a password to
provide increased security. Keystroke dynamics records a user's speed and motion when entering a phrase and
compares it to stored data. This type of authentication, when used with a password or pass phrase, increases security
because it is harder to duplicate a person's typing style than just a password or pass phrase.
None of the other options is a biometric method. Password aging is a security method in which a password policy
forces a user to change his password after a certain amount of time. A password checker is a tool that detects a weak
password. Its primary benefit is that it can protect your network against dictionary or brute force attacks. Password
encryption is a password protection mechanism whereby the password is encrypted before it is transported across the
network.
Keystroke dynamics is considered a low-cost, non-intrusive biometric device that is transparent to users. One important
keystroke dynamics term is dwell time, which refers to the amount of time a user holds down a key. Another is flight
time, or the time it takes to switch between keys.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Characteristic Factors
An organization wants to implement the access control model that is easiest to administrator. Which access control
model should they use?
MAC
RBAC
ACL
DAC
Explanation
They should use role-based access control (RBAC). RBAC is the easiest access control model to administer. With
RBAC, each user is assigned to one or more roles. Object permissions are granted to the roles. The roles are easily
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 68/102
Question #71 of 105 Question ID: 1192947
determined based on the roles defined within the organization. Examples of roles include data entry clerk, bank teller,
loan manager, network manager, and so on. In this way, RBAC can be mapped to the organizational structure of the
company.
An access control list (ACL) is not an access control model. It is an access control entity that gives a table of subjects
and the level of access granted to a particular object.
Mandatory access control (MAC) is usually considered difficult to implement because of several factors. First, a
specialized operating system is required for proper implementation. Also, each subject and object must be assigned a
security label. These labels are used to determine access rights.
Discretionary access control (DAC), while easier to administer than MAC, is not as easy to administer as RBAC. DAC
requires that the data owner determine the level of object access that should be granted to each subject. Subjects can
be users or groups of users. DAC is the easiest access control method to implement.
DAC and MAC can be effectively replaced by RBAC.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
You have been hired as a security consultant by a manufacturing company. During your tenure, you suggest that the
company implement a single sign-on system to prevent users from having to remember multiple user IDs and
passwords when accessing remote systems. Which technologies could the organization implement?
a. DAC
b. MAC
c. RBAC
d. RADIUS
e. Kerberos
f. SESAME
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 69/102
✗ A)
✗ B)
✗ C)
✗ D)
✗ E)
✓ F)
✗ G)
✗ H)
✗ I)
✗ J)
g. Active Directory
option f
option a
option g
option b
options a, b, and c only
options e, f, and g only
option c
option e
option d
options d, e, f, and g only
Explanation
The organization could implement Kerberos, Secure European System for Applications in a Multi-vendor Environment
(SESAME), and Active Directory. All three technologies provide single sign-on authentication.
Discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC) are three
access control models that help companies design their access control structure. While they work with authentication
technologies, they do not provide single sign-on authentication by themselves.
Remote Authentication Dial-In User Service (RADIUS) is a dial-up and virtual private network (VPN) user authentication
protocol used to authenticate remote users. It provides centralized authentication and accounting features. Alone, it
does not provide single sign-on authentication.
Single sign-on provides many advantages. It is an efficient logon method because users only have to remember one
password and only need to log on once. Resources are accessed faster because you do not need to log in for each
resource access. It lowers security administration costs because only one account exists for each user. It lowers setup
costs because only one account needs to be created for each user. Single sign-on allows the use of stronger
passwords.
Other technologies that provide single sign-on authentication are security domains, directory services, and thin clients.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 70/102
Question #72 of 105 Question ID: 1105327
✓ A)
✗ B)
✗ C)
✗ D)
Question #73 of 105 Question ID: 1192952
✓ A)
✗ B)
✗ C)
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Single Sign-on
You are examining an access control matrix for your organization. Which entity corresponds to a row in this matrix?
capability
access control list (ACL)
object
subject
Explanation
A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a
subject has been granted.
An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access
control matrix corresponds to the access control list (ACL) for an object.
A row in an access control matrix corresponds to a subject's capabilities, not just the subject.
By storing a list of rights on each subject, the granting of capabilities is accomplished.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Capabilities Table
Which factor is the least important to consider while deploying a biometric system in an organization?
high productivity of the biometric system
low enrollment time of the biometric system
high accuracy of the biometric system
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 71/102
✗ D)
Question #74 of 105 Question ID: 1192946
✓ A)
✗ B)
✗ C)
✗ D)
high throughput of the biometric system
Explanation
High productivity is not an important factor to be considered during the deployment of a biometric system. The most
important characteristic to be considered during the deployment of a biometric system in an organization is the level of
accuracy it can provide.
The other factors that influence the selection of a biometric system are as follows:
Throughput: Throughput or processing time implies the time taken by a biometric system to process an
authentication request initiated by a user. A high throughput is a factor considered during the deployment of a
biometric system.
Low enrollment time: During the enrollment phase, a user should provide credentials, such as a fingerprint, a
number of times to create a unique reference record that will be used for future authentication attempts. The
enrollment time for a biometric system should be kept at a minimum. A low enrollment time leads to higher user
acceptance.
User acceptance: A biometric system should have a high level of user acceptance. Users must be informed that the
organizational resources should be protected and that the system is not intrusive.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
Recently, users in your organization have started complaining about the number of user IDs and passwords that they
must remember to access different resources on your network. Management has asked you to implement a system
whereby users are granted access to all resources after the initial domain authentication. Which technology should you
implement?
single sign-on
DAC
smart cards
biometric device
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 72/102
✗ E) MAC
Explanation
You should implement single sign-on, Single sign-on allows users to freely access all systems to which their account
has been granted access after the initial authentication. This is considered both an advantage and a disadvantage. It is
an advantage because the user only has to log in once and does not have to constantly re-authenticate when
accessing other systems. It is a disadvantage because the maximum authorized access is possible if a user account
and its password are compromised.
Discretionary access control (DAC) and mandatory access control (MAC) are access control models that help
companies design their access control structure. They provide no authentication mechanism by themselves.
Smart cards are authentication devices that can provide increased security by requiring insertion of a valid smart card
to log on to the system. They do not determine the level of access allowed to a system. Smart card systems are
considered more reliable than callback systems. Callback systems are usually not practical because they require users
to call in from a static phone number each time they access the network. Most users are accessing the network
remotely because they are on the road and moving from place to place. A bank ATM card is an example of a smart
card.
A biometric device can provide increased security by requiring verification of a personal asset, such as a fingerprint, for
authentication. They do not determine the level of access allowed to a system.
Single sign-on was created to dispose of the need to maintain multiple user account and password to access multiple
systems. With single sign-on, a user is given an account and password that logs on to the system and grants the user
access to all systems to which the user's account has been granted. In a single sign-on network, the authentication
server is considered a single point of failure. If the authentication server goes down, authentication cannot be
completed.
When logging on to a workstation, the login process should validate the user only after all input data has been supplied.
This approach is necessary to ensure that all the information required has been submitted and no information that
would aid a cracker in trying to gain unauthorized access to the workstation or network has been provided. If a login
attempt fails, information as to which part of the requested login information was incorrect should not be supplied to the
user. For example, you should not have an error message that states the problem is an invalid user name or an invalid
password.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 73/102
Question #75 of 105 Question ID: 1105280
✗ A)
✗ B)
✗ C)
✓ D)
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Single Sign-on
Which method is used by a user/process to claim who they are or to assert who they claim to be?
authentication
authorization
confidentiality
identification
Explanation
Identification is the method used by a user or process to claim who they are or to assert who they claim to be.
Identification involved supplying your user name, account number, or some other form of personal identification. It is the
means by which a user provides a claim of his or her identity to a system.
Authentication is the process of being recognized by a system. Authentication involves supplying a second piece of
information, such as a password, that is checked against a database for accuracy. If this piece of information matches
the stored information, the subject is authenticated. It is the testing or reconciliation of evidence of a user's identity.
Authorization is the process of determining if the user can access a particular object within a system. Authorization
involves checking the user credentials to see if the subject has the necessary permissions to carry out a certain action.
It is the rights and permissions granted to an individual to access a computer resource.
Confidentiality ensures that data is not disclosed to unauthorized subjects. It is one of the tenets of the security triad.
Accountability is a system's capability to determine the actions and behavior of a single individual within a system.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management Identification and Authentication
Concepts
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 74/102
Question #76 of 105 Question ID: 1105349
✗ A)
✗ B)
✓ C)
✗ D)
Question #77 of 105 Question ID: 1113991
✗ A)
✗ B)
What is a security enhancement for Linux that is implemented using a loadable kernel module?
discretionary access control (DAC)
mandatory access control (MAC)
low water-mark mandatory access control (LOMAC)
role-based access control (RBAC)
Explanation
Low water-mark mandatory access control (LOMAC) is a security enhancement for Linux that is implemented using a
loadable kernel module.
Role-based access control (RBAC) is an access control model that configures user access based on the user's role in
the company. It is not an implementation specific to Linux only.
Discretionary access control (DAC) is an access control model that configures user access based on the identity and
assignment of the user or on the groups to which the user belongs. This model leaves configuration at the discretion of
the resource owners. It is not an implementation specific to Linux only.
Mandatory access control (MAC) is an access control model that configures user access based on the user's security
clearance and object's security classification. It is not an implementation specific to Linux only.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
FreshMeat.net, Project Details for LOMAC, http://freshmeat.net/projects/lomac
Which of the following is NOT part of the access provisioning lifecycle?
creation
maintenance
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 75/102
✗ C)
✓ D)
Question #78 of 105 Question ID: 1113990
✓ A)
✓ B)
✗ C)
✗ D)
deletion
authentication
Explanation
Authentication is not part of the access provisioning lifecycle. Authentication is the process of verifying the identity of a
subject that is requesting access to a system or network.
Identity management is vital. The access provisioning lifecycle should be followed to ensure proper identity
management. The steps in the lifecycle include the following:
Creation - also referred to as provisioning
Maintenance - also referred to as review
Deletion - also referred to as deprovisioning, termination, or revocation
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Provisioning Life Cycle
You need to improve the user accountability for your company's network. Which feature(s) will provide this? (Choose all
that apply.)
audit logs
access control lists (ACLs)
encryption
passwords
Explanation
Audit logs and ACLs improve the user accountability for your company's network.
Passwords improve user authentication for your company's network. Encryption improves data confidentiality for your
company's network.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 76/102
Question #79 of 105 Question ID: 1113986
✗ A)
✗ B)
✓ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Accountability
The Importance of Audit Logs, http://www.datamation.com/columns/article.php/3578916/The-Importance-of-Audit-
Logs.htm
Which security control system assigns users roles to dictate access to resources?
MAC
UDP
RBAC
DAC
Explanation
In role-based access control (RBAC), users are assigned roles to accomplish specific tasks. For example, a user might
be assigned to a role named standard for typical work on a computer, and the same user might be assigned to a role
named admin for work that requires administrative privileges. In an RBAC system, roles are granted or denied access
to network resources. The roles are used to identify the users who have permissions to a resource.
In mandatory access control (MAC), users and resources are assigned to security levels. In a MAC-based security
system, users can write documents at or above their assigned security level, and can read documents at or below their
assigned security level. The U.S. military uses MAC for access to documents and network resources.
In discretionary access control (DAC), users are assigned to groups, and users and groups are granted or denied
access to folders and files. Each folder and file in a DAC security system has an access control list (ACL) that is used
to determine which users and groups can gain access to a network resource. User Datagram Protocol (UDP) is a
protocol that is used on a TCP/IP network to support connectionless communications; it is not a security control system.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 77/102
Question #80 of 105 Question ID: 1105341
✗ A)
✗ B)
✗ C)
✓ D)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
A user in a small office environment explains to you that his office implements a small Microsoft workgroup. Users
commonly share folders with each other. Which access control model is represented in this example?
ACL
MAC
RBAC
DAC
Explanation
The access control model used in a small Microsoft workgroup where users commonly share folders with each other is
discretionary access control (DAC). The DAC model allows the resource owner to determine the level of resource
access given to a user, and makes the data owner responsible for granting other users access to owned resources.
DAC is considered by many companies to be a need-to-know access control implementation. Users-as-data-owners
can determine who needs access and when that access should be granted. Using a DAC model, object access can be
limited to certain days and certain times in the day. In DAC, a subject's rights should be suspended when he is on leave
or vacation and should be terminated when he leaves the company.
The mandatory access control (MAC) model gives data owners some control over resource access, but the ultimate
determination of resource access rests with the operating system. In the MAC environment, subjects and objects are
given labels. These labels help to determine the level of access that will be granted to the subjects. The data owners
have very little control over the access rights of other users.
The role-based access control (RBAC) model determines object access based on a subject's role in the company. In
the RBAC environment, an administrator manages the relationship between subjects and objects. The data owner has
no control over the access rights of other users.
An access control model dictates how subjects access objects.
An access control list (ACL) is a list of subjects and the permissions that those subjects have on a particular object. An
ACL can be used in a DAC environment.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 78/102
Question #81 of 105 Question ID: 1105285
✗ A)
✓ B)
✗ C)
✗ D)
An access control technique is used to support an access control model. The rule-based access control technique uses
rules to define acceptable and unacceptable actions between subjects and objects. The content-dependent access
control technique bases object access upon the object content. If one department can view employees' work history
and another group cannot view their work history, this is content-dependent access. Content-dependent access allows
granular control. The context-dependent access technique bases object access on the context of the object rather than
on data sensitivity. Access control that is a function of factors such as location, time of day, and previous access history
is context-dependent access control. Keep in mind that context-dependent access can increase processing and
resource overhead.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which type of authentication guarantees the identity of a user?
a password
a retinal scan
a smart card
a security token
Explanation
A retinal scan views the pattern of the blood vessels in a user's retina to authenticate the user on a network. A retinal
scan is a biometric authentication that can guarantee the identity of a user. Biometric authentication methods scan
unique physical attributes to identify the user.
A security token is a small device that generates time-sensitive passwords. A smart card is a small plastic card that
contains authentication information. Passwords are another method for authenticating users. Passwords allow access
to resources. A security token, a smart card, or a password cannot be used to guarantee the identity of the user who is
using the authentication method.
An authentication system that uses physical security methods, biometric security methods, and knowledge-based
security methods is known as a multi-factor authentication system.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 79/102
Question #82 of 105 Question ID: 1105338
✗ A)
✓ B)
✗ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Characteristic Factors
The research department at your company has decided to implement a new file server. The department manager will
be responsible for granting access to the folders and files based on a user's or a group's identity. Which type of access
control model is being used?
ACL
DAC
RBAC
MAC
Explanation
Discretionary access control (DAC) is based on identity. This identity can be a user's identity or a group's identity, and is
sometimes referred to as identity-based access control. DAC is the type of access control that is used in local, dynamic
situations where subjects have the ability to specify what resources certain users can access.
An access control list (ACL) is not an access control model, although it is used in a DAC model. It is an access control
entity that lists user access levels to a given object.
Mandatory access control (MAC) is a model based upon security labels. Role-based access control (RBAC) is a model
based upon user roles.
An access control model should be applied in a preventative manner. A company's security policy determines which
access control model will be used.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 80/102
Question #83 of 105 Question ID: 1192945
✓ A)
✗ B)
✗ C)
✗ D)
Question #84 of 105 Question ID: 1113976
✗ A)
✗ B)
✓ C)
✗ D)
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Your network has been the victim of an access control attack that involved the use of rainbow tables. What is contained
in these tables?
all possible passwords in a hash format
all accepted passwords
all accepted passwords in a hash format
all possible passwords
Explanation
Rainbow tables contain all possible passwords in a hash format. Access control attacks against passwords include
brute force attacks, rainbow tables, dictionary attacks, reply attacks, and social engineering attacks.
None of the other options appropriately defines the contents of rainbow tables.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management. Rainbow Table Attack
To which type of attack are wireless networks particularly susceptible?
buffer overflow
asynchronous attack
emanations capturing
maintenance hooks
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 81/102
Question #85 of 105 Question ID: 1192953
✓ A)
✗ B)
✗ C)
✗ D)
Explanation
Wireless networks are particularly susceptible to emanations capture. Emanations capturing involves using special
tools to eavesdrop on wave frequencies to capture traffic.
Wireless networks are not particularly susceptible the other types of attacks listed.
Maintenance hooks are backdoors in applications that are designed by the application developers to perform
maintenance tasks. It enables code to be executed without the usual security checks.
A buffer overflow occurs when too much data is transmitted to an application or operating system.
An asynchronous attack, or a time-of-check/time-of-use (TOC/TOU) attack, happens when an attacker interrupts a task
and changes something to direct the result.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, Emanating
Your company has decided to allow users to dial into the network from remote locations. Because security is a major
concern for your company, you must implement a system that provides centralized remote user authentication,
authorization, and accounting. Which technology should you implement?
RADIUS
DMZ
Single sign-on
VPN
Explanation
You should implement Remote Authentication Dial-In User Service (RADIUS). RADIUS provides centralized remote
user authentication, authorization, and accounting. Similar technologies include Terminal Access Controller Access
Control System (TACACS), Extended TACACS, TACACS+, and Diameter.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 82/102
Question #86 of 105 Question ID: 1105318
✓ A)
✗ B)
✗ C)
✗ D)
A virtual private network (VPN) is a technology that allows users to access private network resources over a public
network, such as the Internet. Tunneling techniques are used to protect the internal resources.
A demilitarized zone (DMZ) is an isolated subnet on a corporate network that contains resources that are commonly
accessed by public users, such as Internet users. The DM is created to isolate those resources to ensure that other
resources that should remain private are not compromised. A DMZ is usually implemented with the use of firewalls.
Single sign-on is a feature whereby a user logs in once to access all network resources.
RADIUS is defined by RFC 2138 and 2139. A RADIUS server acts as either the authentication server or a proxy client
that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN
server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client's request to the RADIUS
server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and
the RADIUS server.
The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all
aspects of remote login. The accounting features allow administrators to track usage and network statistics by
maintaining a central database.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, RADIUS and TACACS+
In Kerberos 5, which type of entity is granted to a client after a client is authenticated?
TGT
AS
TGS
KDC
Explanation
After a client is authenticated on a network that uses Kerberos 5, the client is granted a ticket-granting ticket (TGT). To
ensure that tickets expire correctly, clock synchronization used in Kerberos authentication. In a Kerberos exchange
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 83/102
Question #87 of 105 Question ID: 1105272
✗ A)
✗ B)
✗ C)
✓ D)
involving a message with an authenticator, the authenticator contains the client ID and timestamp.
In Kerberos, a client is granted a TGT from an Authentication Server (AS), which is sometimes referred to as a Ticket
Granting Server (TGS). The client then sends its TGT to a Key Distribution Center (KDC), and the KDC sends a
session key to the client. The client then uses the session key to gain access to resources on a Kerberos network.
Because the KDC relies on a timestamp to determine the age of a request, a timestamp is included during key
exchanges. If the timestamp is older than the allowed grace period for requests, then it is possible that a hacker
intercepted the request. Therefore, a network that relies on Kerberos for authentication requires some type of time
synchronization service for hosts on a network.
Kerberos is a network authentication protocol. It is designed to provide strong authentication by using secret-key
cryptography. Kerberos is available in many commercial products. The Kerberos protocol uses strong cryptography so
that a client can prove its identity to a server (and vice versa). After a client and server have used Kerberos to prove
their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about
their business. Because of all this, Kerberos addresses confidentiality and integrity. Kerberos provides an integrity
check service for messages between two entities through the use of a checksum.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, , Kerberos
Your organization uses the Kerberos protocol to authenticate users on the network. Which statement is true of the Key
Distribution Center (KDC) when this protocol is used?
The KDC is used to capture secret keys over the network.
The KDC is used to maintain and distribute public keys for each session.
The KDC is only used to store secret keys.
The KDC is used to store, distribute, and maintain cryptographic session keys.
Explanation
During the use of the Kerberos protocol, the Key Distribution Center (KDC) stores, distributes, and maintains both
cryptographic session keys and secret keys. The master key is used to exchange the session keys. The keys are
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 84/102
Question #88 of 105 Question ID: 1114759
✗ A)
✗ B)
✗ C)
✗ D)
automatically distributed to the communicating client and the server. The KDC also provides the authentication services
for the users. Kerberos comprises a KDC, a realm of principals (users, services, applications, and devices), an
authentication service, tickets, and a ticket granting service.
The client requests resource access through the KDC. As a response to the request, the KDC generates a session key
that is a combination of the secret keys of the client and the server. The session key is decrypted by both the client and
the server to successfully authenticate to each other and to initiate communication.
The KDC does more than just store the secret keys.
The KDC cannot be used to capture secret keys over the network. Data capturing is performed by packet sniffer
software.
The KDC is responsible for storing secret keys of the users and for generating session keys. Therefore, KDC does not
deal with public keys for a user session.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5, Identity and Access Management, Kerberos
You have implemented a computer system that is protected by MAC. Which activity(ies) are considered illegal on this
system?
a. read-down
b. read-up
c. write-down
d. write-up
option a
option b
option c
options a and d only
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 85/102
✗ E)
✓ F)
✗ G)
Question #89 of 105 Question ID: 1114752
✗ A)
option d
options b and c only
all of the options
Explanation
Read-up and write-down activities are considered illegal on a computer system that is protected by mandatory access
control (MAC). MAC is a type of nondiscretionary access control that uses security levels and categories to restrict
access to information. MAC assumes that users are careless and that programs cannot be trusted to carry out the
needs of users. On a MAC computer, security levels, such as confidential, secret, and top secret are similar to those
used by the U.S. military.
Read-up is the ability of users in a lower security category to read information that is in a higher category. Write-down is
the ability of someone in a higher security category to write files that users in lower security categories can view. Read-
down and write-up activities are allowed on a MAC computer or network.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
You have been asked to deploy a biometric system to protect your company's data center. Management is concerned
that errors in the system will prevent users from accepting the system. Management stipulates that you must deploy the
system with the lowest crossover error rate (CER). Which term(s) are used in biometrics to determine this value?
a. ACL
b. EAR
c. ERR
d. FAR
e. FRR
option d
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 86/102
✓ B)
✗ C)
✗ D)
✗ E)
✗ F)
✗ G)
Question #90 of 105 Question ID: 1105343
options d and e only
option e
option b
option c
options b and c only
option a
Explanation
Two terms that are used in biometrics to determine the crossover error rate (CER) are false acceptance rate (FAR) and
false rejection rate (FRR). A lower CER indicates that the biometric system is more accurate. Various biometric types
can be compared in terms of their relative strengths and weaknesses with a Zephyr chart.
An access control list (ACL) is a list of subjects and the permission granted to a specific object.
EAR and ERR are invalid terms.
FAR, also known as a Type 2 error, occurs when an invalid subject is granted access to the system.
FRR, also known as a Type 1 error, occurs when a valid subject is denied access to the system.
Another term that affects biometric systems is the throughput rate, or the rate at which users are scanned and
authenticated. A higher throughput rate is more acceptable than a lower one. However, if the throughput rate affects the
CER of the system, it should be lowered to improve the CER.
Enrollment time is the time it takes to register with the system by providing samples of a biometric characteristic. During
enrollment, the main approach to obtaining the biometric information from a collected sample of an individual's
physiological or behavioral characteristics is feature extraction.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Biometric Considerations
Which statement best describes an access control list (ACL)?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 87/102
✗ A)
✓ B)
✗ C)
✗ D)
Question #91 of 105 Question ID: 1114755
a list of all access levels that can be granted to a particular object
a list of subjects that have been granted access to a specific object, including the
level of access granted
a list of all objects to which a subject has been granted access
a list of all subjects that have been granted access to a particular object
Explanation
An access control list (ACL) is a list of subjects that have been granted access to a specific object, including the level of
access granted. An ACL must include the subjects, the objects, and the level of access.
Access control allows you to control the behavior, use, and content of any system, for example, an IS system. It is
primarily used by the system administrator to control system usage by explicitly enabling or restricting access. The
primary purpose of access controls is to mitigate risks and reduce loss potential. An ACL coordinates access to system
resources (objects) based on some user or computer entity (subject) identifier. This identifier can be a user name,
personal identifier, or even an IP address. An ACL usually either explicitly allows or explicitly denies certain rights or
permissions. Typically, the types of access are read, write, execute, append, modify, delete, and create. Access
controls can be actual physical controls that control access to physical objects, such as buildings or rooms, or actual
system controls that control access to objects within a particular system once physical access has been granted, such
as the use of user names and passwords for logging in.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
What are the primary differences between the fingerprint and finger scan biometric systems?
a. Fingerprint systems require more time to process a user authentication request.
b. Finger scan systems require a higher processing time to authenticate a user request.
c. Fingerprint systems enroll the entire fingerprint, but finger scan systems extract specific characteristics.
d. Fingerprint systems enroll specific traits of the fingerprint, but finger scan systems enroll the entire fingerprint.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 88/102
✗ A)
✗ B)
✓ C)
✗ D)
✗ E)
✗ F)
Question #92 of 105 Question ID: 1105278
✓ A)
✗ B)
option b
option c
options a and c
options b and d
option d
option a
Explanation
Fingerprint systems enroll the entire fingerprint of a user for future authentication attempts. Finger scan systems extract
only specific characteristics of the fingerprint and enable faster processing of a user authentication request.
All the other options are incorrect.
Fingerprint systems match unique characteristics, referred to as minutiae matching, to authenticate or deny an access
request. A fingerprint biometric system based on minutiae matching compares the location and direction of the ridge
endings and bifurcations of a fingerprint. During enrollment and verification, the relevant information is collected from
the minutia points. Fingerprint systems based on global pattern matching represents a more macroscopic approach
and evaluate the flow of ridges in terms of arches, loops, and whorls.
The finger scan technology differs from fingerprint systems because the former extracts only the specific features from
the fingerprint. This takes less hard drive space and system resources while also allowing for quicker database lookups
and comparisons than fingerprint systems.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Physiological Characteristics
During a recent security audit, you discover that a few users have been redirected to a fake Web site while browsing
the Internet. Which type of attack has occurred?
hyperlink spoofing
ICMP packet spoofing
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 89/102
✗ C)
✗ D)
Question #93 of 105 Question ID: 1114749
land attack
network address hijacking
Explanation
Hyperlink spoofing, also referred to as Web spoofing, has occurred. Hyperlink spoofing is used by an attacker to
persuade the Internet browser to connect to a fake server that appears as a valid session. The primary purpose of
hyperlink spoofing is to gain access to confidential information, such as PIN numbers, credit card numbers, and bank
details of users.
Hyperlink spoofing takes advantage of people using hyperlinks instead of DNS addresses. In most scenarios, the DNS
addresses are not visible, and the user is redirected to another fake Web site after clicking a hyperlink.
A land attack involves sending a spoofed TCP SYN packet with the target host's IP address and an open port acting
both as a source and a destination to the target host on an open port. The land attack causes the system to either
freeze or crash because the machine continuously replies to itself.
ICMP packet spoofing is used by a smurf attack to conduct a denial-of-service (DoS) attack. A smurf is a DoS attack
that uses spoofed broadcast ping messages to flood a target host. In such an attack, the attacker sends a large amount
of ICMP echo packets with spoofed source IP address similar to that of the target host to IP broadcast addresses. This
results in the target host being flooded with echo replies from the entire network. This also causes the system to either
freeze or crash.
Network address hijacking allows the attacker to reroute data traffic from a network device to a personal computer.
Network address hijacking, which is also referred to as session hijacking, enables an attacker to capture and analyze
the data addressed to a target system. The attacker can gain access to critical resources and user credentials, such as
passwords, and unauthorized access to the critical systems of an organization. Session hijacking involves taking
control of an existing connection after the user has successfully created an authenticated session.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Spoofing
Which method involves circumventing a lock for intrusion?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 90/102
✓ A)
✗ B)
✗ C)
✗ D)
✗ E)
Question #94 of 105 Question ID: 1105295
a. raking
b. shimming
c. spamming
d. SYN flood
options a and b
option c
option d
option a
option b
Explanation
Raking is a technique used by intruders to circumvent a lock. For example, a pick is used to circumvent a pin tumbler
lock. Shimming is a technique in which an authorized user disassembles a lock without the use of an operating key.
Therefore, lock-picking is an example of shimming.
Spamming involves sending large number of unsolicited commercial emails to unsuspecting clients. Spamming floods
the mailbox of a user and overloads a network, which adversely affects the performance of the network.
A SYN flood is an example of network-based attack. In a SYN flood attack, the attacker repeatedly sends
synchronization (SYN) packets from a spoofed IP addresses to the victim's host computer. The victim's host computer
responds with valid synchronization acknowledgement (SYN-ACK) packets and keeps waiting for the
acknowledgement (ACK) packet to establish a TCP three-way handshake process for data transfer. In the absence of
the ACK packets from the malicious computer, the victim's host computer continues to respond to each connection
attempt from the hostile computer. This results in denial of service to legitimate hosts because of resource exhaustion.
Objective: Identity and Access Management (IAM)
Sub-Objective: Control physical and logical access to assets
References:
The Rake Method: A Brief Guide, https://www.bumpmylock.com/pages/the-rake-method-a-brief-guide.html
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 91/102
✗ A)
✗ B)
✓ C)
✗ D)
Question #95 of 105 Question ID: 1105331
✗ A)
✓ B)
An organization requires that a research facility is protected by the highest form of access control system. The
organization decides to implement biometrics. You have been consulted regarding which biometric system to
implement. Management wants to minimize privacy intrusion issues for users. Which biometric method should you
suggest based on management's concern?
fingerprint
iris scan
voice print
retinal scan
Explanation
You should suggest a voice print biometric system based on management's concern. A voice print is considered less
intrusive than the other options given.
Both an iris scan and retinal scan are considered more intrusive because of the nature in which the scan is completed.
Most people are reluctant to have a scanner read any eye geometrics.
A fingerprint is more intrusive than a voice print. Most people are reluctant to give their fingerprint because fingerprints
can be used for law enforcement.
A voice print is very easy to obtain. Its primary purpose is to distinguish a person's manner of speaking and voice
patterns. Voice print systems are easy to implement as compared to some other biometric methods. Voice prints are
usually reliable and flexible.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Characteristic Factors
You are examining an access control matrix for your organization. Which entity corresponds to a column in this matrix?
capability
object
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 92/102
✗ C)
✗ D)
Question #96 of 105 Question ID: 1114750
✗ A)
✗ B)
✓ C)
✗ D)
✗ E)
subject
access control list (ACL)
Explanation
An object is an entity in the access control matrix to which subjects can be granted permissions. A column in an access
control matrix corresponds to the access control list (ACL) for an object.
A capability corresponds to a row in the access control matrix. A capability is a list of all the access permission that a
subject has been granted.
A row in an access control matrix corresponds to a subject's capabilities, not just the subject.
By storing a list of rights on each subject, the granting of capabilities is accomplished.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which password types are usually the hardest to remember?
a. static password
b. dynamic password
c. cognitive password
d. user-generated password
e. software-generated password
option d
option c
options b and e only
options d and e only
option e
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 93/102
✗ F)
✗ G)
✗ H)
option b
options a and c only
option a
Explanation
Dynamic passwords and software-generated passwords are the same thing. They are also called one-time passwords
because they are only used during one login session. At the next login session, a new password is generated. They are
usually the hardest passwords to remember because they are so complex. Because of their complexity, they are also
harder to guess.
A static password, also called a user-generated password, is one created by the user. It is usually very easy for the
user to remember. In most companies, the password policy ensures that the static passwords expire after a certain
amount of time.
A cognitive password is a password that is based on some personal fact or opinion. One of the most popular uses is for
security purposes to obtain confidential information. Cognitive passwords are things like your mother's maiden name,
your favorite color, or the school you graduated from.
One-time, or dynamic, passwords are considered to be more secure than static passwords and pass phrases. They are
usually generated by a piece of software. If the password generator is compromised, the entire system is in jeopardy.
There are different types of password generators.
A token device, sometimes called a transaction device, is usually a handheld device that presents a user with a list of
characters to be entered as a password for the computer. Only the device and the authentication server know the
password. When a challenge/response protocol is utilized with token device implementations, the authentication
service generates a challenge, and the smart token generates a response based on the challenge. In challenge-
response authentication, the user enters a random value sent by the authentication server into a token device. The
token device shares knowledge of a cryptographic secret key with the authentication server and calculates a response
based on the challenge value and the secret key.
A synchronous token device synchronizes with the authentication server based on time or a counter. The time value
device must have the same time as the authentication server. The time value and a secret key are used to create the
one-time password, which is displayed for the user. The counter value device uses an authentication value. The value
and a secret are hashed, and the one-time password is displayed for the user.
An asynchronous token device authenticates the user using a challenge/response mechanism. The authentication
server generates random values. This random value is entered by the user, encrypted, and transmitted. A one-time
password is then generated.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 94/102
Question #97 of 105 Question ID: 1105332
✗ A)
✗ B)
✓ C)
✗ D)
✗ E)
✗ F)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
20 Desktop Tools to Generate and Manage Passwords, https://www.hongkiat.com/blog/password-tools/
You are designing the access control for your organization's network. You need to ensure that access to network
resources is restricted. Which criteria can be used to do this?
groups
transaction type
all of the choices
roles
location
time of day
Explanation
Roles, groups, location, time of day, and transaction type can all be used to restrict access to resources. Regardless of
the criteria used, access administration can be simplified by grouping objects and subjects.
Roles are based upon a subject's job within the company. The roles are only granted those rights and privileges
needed to complete job assignments.
Groups are created to incorporate users that need the same access permissions into one common entity. When these
users need access to a resource, the permission is granted to the entire group. Using groups simplifies access control
administration.
Locations can be used to restrict user access to resources by limiting the location from which a subject can log on. A
Microsoft Windows domain can restrict user access to the domain by limiting the computer from which a user can log
on to the domain. This is done by entering the computer name from which the user can access the domain to the user's
account properties.
Time of day can be used to restrict user access to resources by limiting the days and times that a user is authorized to
work. A Microsoft Windows user account can be edited to allow only certain login times.
Transaction type is a commonly used access restriction method in databases. Subjects are given access permissions
based on transaction types. For example, a user may be allowed to view employee compensation, but not allowed to
edit it.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 95/102
Question #98 of 105 Question ID: 1111756
✗ A)
✓ B)
✗ C)
✗ D)
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, , Content-Dependent Versus Context-
Dependent
Your company's domain security policy states that user account reviews should be performed twice a year. You have
been asked to perform user account reviews. What should you do?
Ensure that users are accessing the system at appropriate times.
Ensure that user accounts correspond to valid employees.
Inform users that user account reviews are taking place.
Ensure that users are accessing the system on appropriate dates.
Explanation
When you perform user account reviews, you should ensure that users have the appropriate level of access and that
user accounts correspond to valid employees. Verifying the appropriate level of access ensures that user accounts
have not been granted more permissions than necessary. Verifying that user accounts correspond to valid employees
ensures that no invalid accounts exist.
You should not ensure that users are accessing the system on appropriate dates or at appropriate times. It is not
necessary to verify this information normally. However, if you suspect that a user account has been compromised, you
could check to see if the user account is used during hours in which the user is not at work.
You should not inform users that user account reviews are taking place.
Organizations should have a process for requesting, establishing, issuing, and closing user accounts, tracking users
and their respective access authorizations, and managing these functions. As part of user account management, an
organization should ensure that the following policies are implemented:
Users should be rotated out of their current duties.
The users' accounts should be reviewed periodically.
A process for tracking access authorizations should be implemented.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 96/102
Question #99 of 105 Question ID: 1114761
✓ A)
✗ B)
✗ C)
✗ D)
✗ E)
✗ F)
✗ G)
✗ H)
Personnel in sensitive positions should be periodically re-screened.
User account reviews can examine conformity with the concept of least privilege. User account reviews may be
conducted on a system-wide or application-by-application basis.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage the identity and access provisioning lifecycle
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Identity and Account Management
You are the security administrator for an organization that uses mandatory access control (MAC). Under this type of
access control, which entity(ies) would exist as objects?
a. a file
b. a user
c. a group
d. a printer
e. a computer
options a, d, and e only
option d
all of the options
option a
option c
option e
options a, b, and c only
option b
Explanation
Under MAC, a file, printer, or computer would exist as an object. Objects are resources that are accessed.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 97/102
Question #100 of 105 Question ID: 1105275
✗ A)
✗ B)
✓ C)
✗ D)
A user or group would exist as a subject. Subjects are entities that access objects.
In a MAC environment, a privilege that is not expressly permitted is forbidden. A clearance is a privilege. If a subject
needs access to an object, the administrator is the only person who can determine if access is allowed based on the
security policy.
Objective: Identity and Access Management (IAM)
Sub-Objective: Implement and manage authorization mechanisms
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Access Control Models
Which statement is NOT true of cross certification?
Cross certification is primarily used to establish trust between different PKIs.
Cross certification builds an overall PKI hierarchy.
Cross certification checks the authenticity of the certificates in the certification
path.
Cross certification allows users to validate each other's certificate when they are
certified under different certification hierarchies.
Explanation
Cross certification does not check the authenticity of the certificates in the certification path. This function is performed
by certification path validation.
Cross certification is primarily used to establish trust between different PKIs and build an overall PKI hierarchy. Cross
certification allows users to validate each other's certificate when they are certified under different certification
hierarchies.
The primary purpose of cross certification is to build a trust relationship between different certification hierarchies when
users belonging to different hierarchies are required to communicate and might require authentication for legitimate
connections. The process implies the establishment of a trust relationship between two certificate authorities (CAs)
through the signing of another CA's public key in a certificate referred to as a cross certificate.
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 98/102
Question #101 of 105 Question ID: 1105317
✗ A)
✗ B)
✗ C)
✗ D)
✓ E)
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Federated Identity Management
Cross-Certification and PKI Policy Networking, http://www.entrust.com/resources/pdf/cross_certification.pdf
Your organization has recently implemented Kerberos on your Windows Server 2003 network. Management is
concerned that the entities involved in Kerberos are protected. What is the most important component in this
environment?
session keys
authentication service (AS)
ticket granting ticket (TGT)
principals
Key Distribution Center (KDC)
Explanation
The Key Distribution Center (KDC) is the most important component in a Kerberos environment. It is responsible for
managing all the secret keys, authenticating all users, and issuing tickets to valid users.
None of the other components listed are as important as the KDC.
Principals are the entities to which the KDC provides services. They may be users, applications, or services.
Session keys are symmetric keys used to encrypt and decrypt information that passed between the principals and the
KDC. Using symmetric key cryptography, Kerberos authenticates clients to other entities on a network and facilitates
communications through the assignment of session keys.
A ticket-granting ticket (TGT) is the entity issued by the authentication service (AS) on the KDC to a principal. The TGT
proves principal identity throughout the communication process.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 99/102
Question #102 of 105 Question ID: 1111747
✓ A)
✗ B)
✗ C)
✗ D)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, , Kerberos
You are implementing a biometric device for accessing a restricted area of your building. The location where the
biometric device will be located has many windows and a lot of natural sunlight. You are concerned that the amount of
sun shining on the biometric reader can affect the system's accuracy. Which type of biometric device can be affected by
this?
iris scan
retina scan
fingerprint
facial scan
Explanation
An iris scan can be affected by the sun shining on the biometric reader. The placement of the biometric device used to
perform the iris scan is very important. You must position the reader properly in the facility to ensure that the sun does
not shine into the opening.
An iris scan examines the unique patterns, colors, rings, and coronas of an individual's eye. Each characteristic is
captured by a camera and compared with the reference records of the employee that were gathered during the
enrollment phase.
The results from the iris scan are extensively used in personnel identification systems in the organizations. The iris is a
protected organ, which makes the eye patterns captured through iris scan stable throughout life.
Iris scans overcome the following disadvantages of retina scans:
less expensive
less enrollment time for the employees
less complex than the retina scan
less user authentication time
None of the other listed biometric devices would be affected by the sun shining on the reader. A retina scan examines a
user's retina to obtain the blood vessel pattern. A facial scan examines a person's face to measure different attributes,
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 100/102
Question #103 of 105 Question ID: 1113977
✗ A)
✗ B)
✓ C)
✗ D)
such as bone structure, nose ridge, eye width, and so on. A fingerprint device examines the ridges and other
characteristics of a fingerprint.
A finger scan differs from a fingerprint scanner. A finger scan extracts features about the finger itself. A fingerprint scan
extracts features about the fingerprint only.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Characteristic Factors
What is TEMPEST?
an electronic access control system
an encryption device
a United States government program that reduces electronic equipment
emanations
an artificial intelligence systems that solves problems
Explanation
TEMPEST is a United States government program that reduces electronic equipment emanations to reduce
eavesdropping attacks.
The Clipper chip is an encryption device developed by the United States government.
Neither of the other options is correct. An electronic access control system uses smart cards or biometrics to verify a
user's identity before the user is granted access to a building or room. Expert systems use artificial intelligence to solve
problems.
Objective: Identity and Access Management (IAM)
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 101/102
Question #104 of 105 Question ID: 1105289
✓ A)
✗ B)
✗ C)
✗ D)
Question #105 of 105 Question ID: 1105291
Sub-Objective: Control physical and logical access to assets
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Emanating
Your company has several UNIX servers on its network. An IT co-worker has notified you that he noticed that all of
these UNIX servers have an /etc/shadow file. What is the best description of the purpose of this file?
to store user passwords in a protected format
to store the root password
to store user passwords
to store password security policy settings
Explanation
The purpose of the /etc/shadow file on a UNIX system is to store user passwords in a protected format. Only the root
user can access this file. Shadow data prevents users from seeing the contents of the password file.
None of the other options is the purpose of this file.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Password Types and Management
TLDP.org, Linux Password and Shadow File Formats, http://www.tldp.org/LDP/lame/LAME/linux-admin-made-
easy/shadow-file-formats.html
You have been asked to implement a new password management policy that includes using cognitive passwords to
verify a user's identity. What is the most correct explanation of this type of password?
7/29/2021 CISSP2018 Exam Simulation
https://www.kaplanlearn.com/education/test/print/47511308?testId=177713607 102/102
✓ A)
✗ B)
✗ C)
✗ D)
a password that is based on some personal fact or opinion
a password that is composed of a long phrase
a password that is composed of two totally unrelated words
a password that is created by a password generator
Explanation
A cognitive password is based on some personal fact or opinion. Cognitive passwords are things like your mother's
maiden name, your favorite color, or the school you graduated from.
A password that is composed of a long phrase is a pass phrase. These passwords are usually harder to crack using a
brute force attack because of their length and complexity.
A password that is created by a password generator is a software-generated password. It is also known as a one-time
or dynamic password. This password type is very hard to remember.
A password that is composed of two unrelated words is a composition password.
A password is something you know or memorized.
Objective: Identity and Access Management (IAM)
Sub-Objective: Manage identification and authentication of people, devices, and services
References:
CISSP Cert Guide (3rd Edition), Chapter 5: Identity and Access Management, Cognitive passwords